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II is my honor to welcome you to DEF CON China 1.0 оп 
behalf of DEF CON, Baidu Security and XFuture Security. 


For our 1.0 launch | am are happy to be in the 751-D Park 
with you. This space has a much more "DEF CON" feel 

than а 5 star hotel. Here | feel more freedom of ideas and 
creativily, and we have space to grow in the years їо come. 


What's new? Since last year we have gone from 5 
DEF CON Groups in China to 11 with more on the 
мау. There are more villages, contesis, events, art 
and music! It has taken the better half of a year to 
make it here and we are excited and ready to go! 


The theme this year is Technology's Promise, a positive 
vision of what could be if technology enabled our better 
selves. Instead of tracking and selling to us it could be 
used to help educate and heal us. In this spirit | want us to 
build a community of security geeks to solve the problems 
of today and face the challenges of the future. In this 
network we will be working with each other for the rest of 
our careers because internet problems are global problems 
and we will Бе the ones called on to help engineer it. 


Last year | said that at DEF CON it is your idea that counts, 
not what you look like, how much money you make, how 
many followers you have, or what kind of music you listen 
to. At DEF CON you have the freedom to ask questions, 
challenge the speakers, and change your opinions. 


Just in time for the con | am happy to announce the re-launch 
of forum.defcon.org, a place to plan all things DEF CON, hang 
ош, talk tech, make friends, start your own blog or share 
pictures of you latest project. By the time you read this the 
Android mobile app should be live with 105 not far behind. It 
is where | will be posting my after-con stories and pictures. 


Thank you, 
The Dark Tangent 


ЕЕЕ КЕРЕР СОМ, Fi HEZCA ЖЖ 
Ie 2e X DIG f 8DEF CON ЖУН 1.0. 


#71; 3857-7510 Park: 1.0 BRIMIDEF 
CON ЯҢЫ 5j ВЕЋА ДАРЈА, IX 
“ОВР СОК АЕ Uf. АЕ, 

HT ІШЕМ HEROS 3 


ВН РУНА 91062 ef] ЗЕТ 7 

ж %IMVIIIი0ლC, LESE. Tha]. 2751 ЖОЙ 

HE T 2964 -MMIIII9), ИИН ТЕН ӘН 
ЖАТ ! 3LI/II/00LC СОК Groups (УҢ) 
VIII 2:4-M95 ИПСА ЗЕН) БР 


2 


ы ш 


Еа Ее ВН БИЖ. 


Jut: [EUR EDGE d. 
VIERGE RE. МУЖА: 


II, SOS 720576 
ПНЕ. 


~ 


Tue. fum BSEC! 


Зе ЛОВ ELI SEED] 
ი #I 1799 НЕ, DR 


ЗЕ 31)| 
[3r 


ji i. fEDEF СОМ, 


TESTES UT 
წა... ეეე» 
ОАЕ. fex. ЗИВ 
ИЕА. аса 0 


ЖШ. 
rna. 


УҢ - forum.defcon.org E, М 
JÉ—^4YHUBHSDEF CONARI SES 
Пе ЕВЕ %III 


РАЛУ FEN ЕЕ ЕЖ 
БН pp 5 RU e 


ЗОНЕ ЛОВ ЛЕ 


Тһе Dark Tangent 


1000025 8, МАТ 
ЯЕ] ЕР 

153] 25, И 
1000-<, JADEF СОМ] 
DEF CON CHINA beta ; 
14, JAbetasi[1.0 ! 


DEF CON CHINA 1.0 
ЕЛ ТЕСТЕРІ 


ТЕ, ИЕ, 
с. 87 აი MI 
аад ВЕР Т, АЦЕ 
TAE АНИ, ЈУЛИ 
ТИК, ІНЕН 
13) ЕЛУ TA 
НО НЕ, ЕРЕ 
Зе AL LR 53 ER 
ЖОЗЕ · ЛАЛЕ 
СВЕВИ» — = #8 
Hi. ЖАН ЈАН — 
Жан ЗЕРЕН. ЕНЕ 
Wf. “МИ. ЖЕ. 4 
КАТТАЛ 
ა. 
POUR. Зоки НЕ, ла 
აღეს..... 
ЖЕ ИВЕ ЈЕ 


Tr Kn ТОН ТЕТ, #C)X471%IIL4%I- —^4- 
III: ЖЕУ S (Retro-Puturism) , ЖҮЗІН 
LB fth Ab. MI 7 ნ9%) 650602019 ს 2:44 
ЖЕ, 1L1 2+I 18M 4 LII2160-804-4LL. 


Бу SEATS. #9 II MMC 
ЈЕ ЕНУ, ЖИІ. ХЛ ЈАВЕ ა 
р КА Е, ІН Е-Е 
ин. Е УНЕ к. И 
ЗЕ О ИАЕА Y ЕА, (H5 ERI 
у, III I 16. ҰЯЛЫ БЕКИ е 
АВАЛИ ПРЕ, БО А Е АЈНА, ЈЕ 
АЛЕН ЕН HM — NIE. Fateor p E Ed 
ek Exi HH p. [Eo ADSIT ACE ! 


ЗА БИЈЕ ЈУАН ЈИ TO. DUAE 
8. ПИАТ. ИГИ 719786 ЛЕ НЈ 
МУР, ОХ ТЕ ЕЛЕНЕ LE АЕ MX 
ЭЛ ЕНЕ C RS > —— 38: 083 16] КОЖУ ФН 
Wu, та, ЈУЛ ДИ АКАН » 
xi tix —35 Wn] 888660 CON CHINA, 


<< 


ФИЕШИТ. ВЕНА II IX IE АРНО ! 


ФЕН. прста Хани аз КР 


3x X4] 18 DDR XE шалдар 


Тесћпојоду 5 Promise, 


10,000 kilometers, from Las Vegas to Beijing. 

15 hours time difference, from early morning to late night. 
1000 days, from DEF CON to DEF CON CHINA beta. 

1 year, from beta to 1.0! 


DEF CON CHINA 1.0, we are here as promised. 


In the past year of 2018, a variety of network security, 
privacy protection information keep pouring in. At 
present, Al is building a new era, the defense system 
has been endowed with new powerful capabilities, 

but Al its own security has become unprecedented 
complex and important, even far beyond the boundaries 
and scope of traditional network security. 


In book "New Rules for the New Economy", the futurist 
Kevin Kelly mentioned that there is only one sure 
strategy for navigating an unknown canyon, and that 

is to travel in pairs. When a corparte, communily, 
technology, or economy facing future uncertainties, to 
build partnerships, seek common goals, establish network 
10 spread the risk would be a wise choice. Only that 

could bring the hope of getting through the canyon. 


In the preparation process of DEF CON CHINA 1.0, | have 
been repeatedly exposed to a word: Retro-Futurism, which 
resembles the "Past future tense" of English grammar 

in its subtlety. The background of "Retro-Futurism" 

could be traced back to the 1960s and 19805. 


History is the product of forces. Each era is simultaneously 
pulled by forces of promoting openness and cooperation, 
and by forces of promoting isolation and confrontation. 
In the short run, it is always easier to fall than to rise, but 
in the long run it is the power of cooperation that wins. 
At the time of germination of Retro-Futurism, dosure and 
division gained the upper hand in the world for a short 
time, but at the same time, the new world represented 

by atomic energy, computer and space technology was in 
full swing, and the world entered a flourishing era. Nixon 
took a small step in China, Armstrong took a small step 
on the moon, but they were all giant leaps for mankind! 


The world today is more diverse. History does not repeat 
itself exactly, but it always rhymes. Within our meager 
strength, hackers would be one of the community 

who can call the humanity to walk in company in tacit 
understanding - following a common spiritual code, 
breaking boundaries, and forming a global community. Опе 
possible place to take this step may be DEF CON CHINA. 


Navigate together, nothing can stop 
the pace of human progress! 


In virtue of DEF CON CHINA, I hope hackers in China 
and around the world could continue the exploration 
and cooperation spirit of human, regain the confidence 
and courage to explore like the "Space Age", and 
make the future better with science and technology. 


This is the Technology's Promise to the 
world made by every hacker! 


- Ма Је 
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This year's badge was created 
specifically to bring the 

DEF CON China community 
together. As you'll soon 
discover, the badge is 

your "passport" while you 
experience DEF CON. When 
you EOS certain tasks 
around the event, your roots 
will start to grow. Complete 
all the tasks and bring your 
tree to life! The badge 15 fully 
open source and "oh 50 
you can continue to explore, 
experiment, and create with 
it after DEF CON is over. 


It has been an honor and 
challenge to create this badge 
for you and I'm excited to 

see it in action. 50, embrace 
your hacker spirit, enjoy all 
that DEF CON has to Dr 
and have fun with the badge 
along the way! 
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CODE OF CONDUCT 


DEF CON provides a forum for open 
discussion between participants, where 
radical viewpoints are welcome and a high 
degree of skepticism is expected. However, 
insulting or harassing other participants 

is unacceptable. We want DEF CON to be 

а safe and productive environment for 
everyone. It's not about what you look 
like but what's in your mind and how you 
present yourself that counts at DEF CON. 


We do not condone harassment aguinst 
any participant, for any reason. 
Harassment includes deliberate 
intimidation and targeting individuals 
in a manner that makes them feel 
uncomfortable, unwelcome, or afraid. 


Participants asked to stop any harassing 
hehovior are expected to comply 
immediately. We reserve the right to 
respond to harassment in the manner 
we deem appropriate, including but not 
limited to expulsion without refund and 
referral to the relevant authorities. 


This Code of Conduct applies to everyone 
participating at DEF CON - from 
attendees and exhibitors to speukers, 
press, volunteers, and бооп. 


Anyone can report harassment. If you 
are being harassed, notice that someone 
else is being harassed, or have any other 
concerns, you can contact 0 Goon, go to 
the registration desk, or info booth. 


Conference staff will be happy to help 
participants contact hotel security, local 
law enforcement, or otherwise assist 
ihose experiencing harassment to feel 
safe for the duration of DEF CON. 


Remember: The CON is what you make 
of it, and as а community we can create 
0 great experience for everyone. 


-Тће Dark Tangent 
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DEF CON LIVE MUSIC 


Theme: А crossover experience involving sound and light 

installation, immersive stage, technology and art. 

When: June 1st 2019, 6:30 - 9PM 

Where: 751 D-PARK Beijing 

Program: Approximately 2.5 hours, 5 parts 

PART ONE: DJ Abby 

PART TWO: Geek Music | Baidu Music Society Band) 

PART THREE: Electronic Music (777: China's premier 

and pioneering electronic music artist) 

PART FOUR: Rap (RAPPER Nineone) 

PART FIVE: Multimedia art show (Wan Who!) 

Artist Bios: 

DJ Abhy: The prettiest female DJ in the KPOP / Rap / EDM arena. 

Baidu Music Society Вапа is comprised of five geek musicians from Baidu, iQiyi and 
NetEase. At work, they are R & D engineers, product managers and marketing personnel. 
Their research fields include AI, intelligent voice, search, video eic. Their alter egos 
are musicians who have been in the limelight of major music festivals or who have 
rich experience in various music genres. Under the leadership of Zhu Shengxian, 
president of Baidu Music Association, they will open for DEF CON LIVE MUSIC. 

TIT. Founder of China's first proper electronic band "supermarket". 


NineOne: Popular Chinese rapper, whose single "Puma" launched 


г herinto fame with over 100,000 fans on Weibo. 


Wan Who?: (Floating Destiny) Floati 
installation inspired by the | Chi 
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BAIDU СТЕ, HOSTED BY BAIDU SECURITY, WILL BE HELD DURING DEF CON 
CHINA 1.0 AND BCTF 2019 WILL OFFICIALLY BECOME THE PRE-QUALIFIER 
OF DEF СОМ СТЕ. 12 TOP-LEVEL INTERNATIONAL TEAMS WILL BE INVITED 

TO COMPETE IN THE ВСТЕ FINALS. AT THE ЗАМЕ TIME, 11 АІ TEAMS 
SELECTED THROUGH BCTF-RHG ARTIFICIAL INTELLIGENCE 
SUB-STATION COMPETITIONS ARE ASSEMBLED, WHICH 
CAN USE OPENRASP, KARMA VULNERABILITY HOTFIX 
AND OTHER OPEN SOURCE TECHNOLOGIES FROM 
BAIDU SECURITY IN THE AUTOMATIC ATTACK AND 

DEFENSE COMPETITIONS. 


THE FINALS CHAMPION TEAM WILL 60 STRAIGHT 

TO ATTEND DEF CON CTF FINALS, AND THE TOP 

THREE TEAM WILL RECEIVE CASH AWARDS. 
CURIOUS ABOUT THE AMOUNT? AHA, WAITING FOR 
YOU TO EXPLORE! 


CONTESTS а EVENTS 


SCHEMAVERSE 

Th 
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battleground 


that lives inside a PostgreSQL database. Mine the hell out 
of resources and build up your fleet of ships, all while 
trying to protect your home planet. Опсе you're ready, 
head out and conquer the map from other DEF CON rivals. 


This unique game gives you direct access to the 
database that governs the rules. Write SQL queries 
direcily by connecting with any supported PostgreSQL 
dient or use your favourite language to write AI that 
plays on your behalf. This is DEF CON of course so start 
working on your SQL Injections - anything goes! 
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SCAVENGER HUNT 
зей 


The DEF СОМ Scavenger Hunt, though untraditional, has 
become the spirit of DEF CON. This contest is known for 
encouraging the hacker mentality and bringing it into 
uncommon and usually funny challenges. For newer hackers, 
non-echnical hackers, or people looking to find a unique 
way to interact with the conference, we bring you the longest 
running contest at DEF CON! For over twenty years the 
original DEF CON Scavenger Hunt has challenged hackers to 
think outside of the box. Teams of one to five players compete 
Friday morning into Sunday, accumulating as many items 
and completing as many tasks as possible from the list. Will 
you be the next to stand among the legendary scavengers? 
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DUNK TANK 
ЖӘНЕ 7:11) 


For the trivial price of a donation to charity you could take 
a turn trying to dunk various DEF CON luminaries perched 
over a pool of freezing water. Some geek, maybe even 
you, with a couple of softballs has a chance at glory. 
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Are you tired of СТЕ where 
contestants" computers aren't 
in danger of being smashed 
with a sledgehammer by 

a person wearing a hot 

dog costume? Do normal 
CTFs that don't decide the 
fate of their competitors 

at random with a novelty oversized 20-sided die bore 
you? Then come see the only CTF where the stack isn't 
the only thing being smashed: The d(struction)20 СТЕ! 


Part СТЕ part lemon race, part game show, part demolition 
derby, the D(struction)20 CTF is a contest to build an 
affordable, low-cost, usable, and powerful hacking platform, 
and compete with it! Periodically during the competition, 

a random contestant from the leaderboard will be chosen 

to roll the d20 of Destruction to decide what will happen to 
their rig. II they're very lucky, they roll a natural 20 and no 
damage will be inflicted! Otherwise, the 020 of Destruction 
will decide what type of damage will be done to their rig. If 
the rig survives their chosen fate, the contestant may continue 
playing, but either way, rolling the d20 of Destruction results 
in a big point bonus that may make the difference between 
winning and losing, even if the rig is destroyed in the process! 


https://twitter.com/d20cf 
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REPLICA ОР HALL OF SUPREME HARMONY 


The Hall of Supreme 
Harmony was built in 1416 
and completed in 1420. It 
showcases the exquisite skills 
and cooperation amongst 
ancient craftsmen which is 
difficult to achieve today. 
This is due 10 the usage of 
tenon-and-mortise technology. 
Because of its complexity, 
people seldom come into 
contad with it in today's 
world. At DEF CON CHINA 

1,0, We plan 10 use tens of 
thousands of Tang Locks to 


UN 


reproduce the Hall of Supreme Harmony on a reduced scale. 
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For the past decade, the curious and კასასი n of DEF CON 
resident artist Mar Williams has у 
been visible all over our convention... 
Mar's work isa perfec fit with. — | | 
DEF CON's vibe and has become 
а big part of our visual identity. 


For our guests at DEF CON China 1.0, 
Mar will be creating a mural live 
onsite. Once the mural is finished, 
it will be broken down to 18 equal 
pieces and distributed to guests 
at the conference. Join us at 751 
D Park in Beijing May 31 - June 2 
for a chance to bring home some one-of-kind DEF CON ari! 
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FORUM.DEFCON.ORG 


No matter what part of the DEF CON 
universe you're interested in, you should 
start at the DEF CON Forums. With a forum 
account you can reach out to a local DEF 
CON group, help us plan future events or 
even chat with other hackers. DEF CON's 
heart is its community, and the community 
meets at the DEF CON Forums. Join us! 
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ხილ апісеѕ еіс; media.defcon.org | defcongroups.org 


Welcome to DEF CON! 
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DEF CON China 1.0 Planning - May 31 - June 2 2019 Beijing 
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DEF CON is well known for its technical side, but there. 

is a vibrant artistic side as well. Each year, DEF CON 
invites live musicians and DJs from within the community 
10 perform, and we hold contests for short stories 

and art to help us bring the year's theme to life. 


We expanded the art contest to DEF CON China, and 
were delighted to find that every entry was amazing! 
DEF CON thanks everyone who shared their work with 
us. Extra special congratulations to the winners: 


3RD PLACE: ^CHING MING FESTIVAL RAIN" BY ARVIN DONG 


ЕМО LABS 


JTAGULATOR 


Joe Grand (Kingpin) 


JIAGulator is an open source hardware hacking tool that 
assists in identifying on-chip dehug interfaces from test points, 
vias, component pads, or connecors on a circuit board. 


Additional information: 
http://www jtagulator.com 
http;//www.grandideastudio.com/portfolio/jtagulator 


On-chip debug (0С0) interfaces can provide chip-level 
control of a target device and are a primary vector used 

by engineers, researchers, and hackers to extract program 
code or data, modify memory contents, or affect device 
operation оп-ће-ћу. Depending оп the complexity of the 
target device, manually locating available ОСО connections 
can be a difficult and time consuming task, sometimes 
requiring physical destruction or modification of the device. 


JTAGulator is an open source hardware hacking tool that 
assists in identifying on-chip debug interfaces from test points, 
vis, component pads, or соппесїогѕ on a circuit board. It 
currently supports the detection of JTAG and asynchronous 
serial/UART interfaces. The tool can save a significant 
amount of time during reverse engineering, particularly for 
10050 who don't have the resources required for traditional 
hardware reverse engineering processes, and bridges the gap 
between gaining physical access to circuitry and exploiting it. 


JTAGulator continues to be updated with new features 

and functionality. The project welcomes feedback/ 
contributions/pull requests from the community. JTAGulator 
hardware and core firmware is distributed under a Creative 
Commons Attribution-3.0 United States license (http;// 
creativecommons.org/ licenses/by/3.0/us/ .. Supporting 
Files, Code, etc: Complete design details, documentation, 
presentations/videos, etc. available at the project page above 
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Target Audience: Hardware, Offense, Defense 


Hardware hackers looking offensively for an entry point 
in which to compromise a hardware device. Engineers 

looking 10 defensively identify/classify their exposure Бу 
using the tool to test for open interfaces on their devices. 


Joe Grand (Gjoegrand], also known as Kingpin, is a 
computer engineer, hardware hacker, DEF CON badge 
designer, teacher, advisor, runner, daddy, honorary 
doctor, TV host, memher of legendary hacker group LOpht 
Heavy Industries, and the proprietor of Grand Idea Studio 
(grandideastudio.com). He has been creating, exploring, 
and manipulating electronic devices since the 19805. 


Joe Grand ((joegrand), X 4Kingpin, J&— 
4141 ЛЕЛЕ ШИН. DEF СОМ 
ВЕРЕН ЖОП. Bae]. PD. 68. 4 
TRECE. ЗЕЕ Л. ТАЙ 21 0იიL 
Heavy Ілдавігіев IV А. Grand Idea Studio 
(granddeastudio.com)f] I 9 7 ი LI|201:20804-4ს 
IX. (ს EEG. АННАН IX о 


OSFOOLER 


Jaime Sánchez aka segofensiva 


Traditional methods to defeat 0S Fingerprinting in Linux 
were written as kernel modules, or at least, as patches to 
the Linux kernel, like Honeyd, IP Personality, the Stealth 
Paich, Fingerprint г. IPlog... The reason is that if 
the aim is to change Linux ТСР/ІР stack behavior, and 

if we want to achieve it, we need to do it in the kernel 
layer. Most of these tools are old, doesn't work with 
actual kernels of can affect tcp/ip stack performance. 


OSfooler was presented at Blackhat Arsenal 2013. It 
was built on NFQUEUE, an iptables/ip6tables target 
which delegate the decision on packets to ძ userspace. 


It transparently intercepted all traffic that your box was 
sending in order to camouflage and modify in real time 
the flags in ТСР/ІР packets that discover your system. 


OSfooler-NG has been complete rewriten from the ground 
up, being highly portable, more efficient and combining all 
known techniques to detect and defeat at the same time: 


• Даје remote 05 fingerprinting: like Nmap or Xprobe 
* Passive remote 05 fingeprinting: like р0Ғог pfsense 
• Commercial engines like Sourcefire's 
FireSiGHT 05 fingerprinting 
Some additional features are: 
• Мо need for kernel modification or patches 
* — Simple user interface and several logging features 
* Transparent for users, internal process and services 


*  Detecting and defeating mode: 
acive, passive & combined 


• Will emulate any 05 


• — Capable of handling updated птар 
and 00! fingerprint database 


* — Undetectable for the attacker 
Target Audience: Defense and Mobile 
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DEMO LABS 
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Jaime Sánchez (aka G'segofensiva) has worked for over 
20 years as a specialist advisor for large national and 
international companies, focusing on different aspects of 
security such as consulting, auditing, training, and ethical 
hacking techniques. He holds a Computer Engineering 
degree and an Executive MBA. In addition, he holds several 
certifications, like CISA, CISM, CISSP, just to name a few, 
and a NATO SECRET security сЈеагапсе, as a result of his 
role as advisory of many law enforcement organizations, 
banks and large companies in Europe and Spain. 


He has spoken in renowned security conferences nationally 
and internationally, as in RootedCON, Nuit du Hack, Black 
Hat, DEF CON, DerbyCON, МосопМате, Deepsec, Shmoocon 
or Cyher Defence Symposium, among others. As a result 

of his researches, he has notifled security findings and 
vulnerabilities to top companies and vendors, like Banco 
Popular, WhatsApp, Snapchat, Microsoft, Apple etc. 


He is a frequent contributor on TV (TVE, Cuatro, LaSexta, 
Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and 
radio programs, and writes a blog called "SeguridadOfensiva" 


Jaime Sanchez( X. 44 (Qsegofensiv: uo. IM XI 
E АЈ %CIIIIII20%4-, ФИ 
AT Jr. III. "ub. ЈЕ წაით AR 00% 
TOR. ПИ ЛЕВА ЛИ ЛИСТА ЖҮ 
MI L-”CIM ЯМ, НОРА ИТ ЕН) 
YF А. SREPRUK Ан А А АЈДЕ, 
ЖИЕН A Ed. ШСІЗА, CISM, CISSP 
EJJENATO SECRETAZcAx iT ту 45 , 


Twitter: G'segofensiva 


Website: https://www.seguridadofensiva.com 


Tools: https://github.com/segofensiva 


VOIPSHARK: OPEN SOURCE VOIP ANALYSIS 
PLATFORM 


VOIPSHARK: ЈАЈЕ МОТРАЈ ДРЕ 
ВЕНЕ 


Nishant Sharma 
R&D Manager, Pentester Academy 


Jeswin Mathai 
Security Researcher, Pentester Academy 


Ashish Bhangale 


Senior Security Researcher, Pentester Academy 
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Leveraging the packet switched network for making phone 
calls or VoIP has come a long way пом. Today, it has already 
replaced conventional circuit switching based telephones 
from the large organizations and now moving to capture 
the nonommercial users. In this talk, we will focus on 

the traffic analysis based security analysis of SIP and КТР 
protocols which are one of the most popular protocols for 
VoIP. These protocols are already gaining new adopters оп 
high rate and also replacing older protocols like H323. 


We will discuss VolPShark open source VoIP Analysis 
Platform which will allow people to analyze live or stored 
VoIP traffic, easily decrypt encrypted SRTP stream, perform 
macro analysis, generate summary specific to VolP traffic/ 
nodes and export calls/SMS/DTMF in popular user 
friendly file formats. We will also be releasing VolPShark 
collection of Wireshark plugins written in Lua under GPL. 
VolPShark is plug-n-play, easy to modify/extend and 
platform independent in nature. We will also discuss the 
currently available open source tools for SRTP decryption, 
their shortcomings and how VolPShark address those. 
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Nishant Sharma is a R&D Manager at Pentester Academy 
and Attack Defense. He is also the Architect at Hacker Arsenal 
where he leads the development of multiple gadgets for 
WiFi pentesting such as WiMonitor, WiNX and WiMini. He 
also handles technical content creation and moderation 

for Pentester Academy TV. He has 6+ years of experience 

in information security field including 4* years in WiFi 
security research and development. He has presented 
published his work at Blackhat USA/Asia, Wireless Village, 
loT village and Demo labs (DEF CON). Prior to joining 
Pentester Academy, he worked as a firmware developer at 
Mojo Networks where he contributed in developing new 
features for the enterprise-grade WiFi APs and maintaining 
the state of art WiFi Intrusion Prevention System (WIPS). 

He has a Master's degree in Information Security from 

ШТ Delhi. He has also published peer-reviewed academic 
research on HMAC security. His areas of interest indude WiFi 
and 107 security, AD security, Forensics and Cryptography. 


Linkedin: htips://www.linkedin.com/in/wifisecguy/ 
Twitter: Gwiflsecguy 
Facebook: https;//www.facebook.com/wifisecguy 


Ashish Bhangale is а Senior Security Researcher at 
Pentester Academy and Attack Defense. He has 6+ years 
of experience in Network and Web Application Security. He 
has also worked with the state law enforcement agencies 
in the capacity of a Digital Forensics Investigator and 

was instrumental in solving IT fraud/crime cases. He 

was responsible for developing and testing the Chigula 
(WiFi Forensics Framework) and Chellam (First pure WiFi 
Firewall) frameworks. He has also created and managed 
multiple projects like Vulnerable Web Application 0565, 
Vulnerable Router Project and Damn Vulnerable Wordpress. 
He has presented/published his work at Blackhat, Wireless 
Village, loT village and Demo labs (DEF CON). His areas 

of interest indude Forensics, WiFi and AD security. 


Jeswin Mathai is a Researcher at Pentester Academy and 
Attack Defense. Не has published his work at Blackhat 
Arsenal and Demo labs (DEF CON]. He has a Bachelor's 
degree from ІТ Bhubaneswar. He was the team lead 

at InfoSec Society ШТ Bhubaneswar in association with 
CDAC and ISEA, which performed security auditing of 
government portals, conducted awareness workshops for 
government institutions. He was also the part of team Pied 
Piper who won Smart India Hackathon 2017, a national 
level competition organized by Gol. His area of interest 
indudes Malware Analysis and Reverse Engineering, 
Cryptography, WiFi security and Web Application Security. 


LinkedIn: https://www.linkedin.com/in/jeswinmathai/ 
Twitter: GjeswinMathai 
Facehook: https;//www.facebook.com/jeswinMathai 
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FROM ZERO OVERHEAD TO MANY 
VULNERABILITIES: ESCALATING FUZZING 
mund S AND EFFICIENCY WITH 


ИМ ТЕЛ, РТУ ИН И TA dE 
ЈЕ 

Dr. Xinyu Xing 

Assistant Professor, Penn State University. Research Scientist, JD.com 


Yaohui Chen 


PhD student, Northeastern University's College of Computer and Information Science 


Dr. Jun Xu 


Assistant Professor, Stevens Institute of Technology 


Dr.Jimmy Su 


Head of security center, JD.com Silicon Valley 


In practice, АҒ typically exhibits high-performance 
overhead, particularly when stress-testing target software 
without access to their source code. Given a commercial 
offAhe-shelf (COTS) binary, ДЕ. needs to perform a black 
box оп-ће-ћу instrumentation through a customized 
version of QEMU running in "user space emulation" 
mode. Despite the best effort of systematic optimization, 
however, QEMU still incurs substantial overhead to 
binary-only fuzzing. According to the ДЕ. white paper, 
the overhead of QEMU based AFL is approximately 

2-5x, which significantly surpasses those fuzzing tasks 
performed through lightweight static instrumentation. 


FAST-AFL is a new fuzzing tool to enhance performance for 
binary-only fuzzing. Technically speaking, the tool is designed 
and prototyped with Intel РТ – a newly available hardware 
feature - along with a path-sensitive feedback scheme. With 
this hardware and software co-design principle, the tool could 
пої only accelerate a binary-only fuzzing task for about 29x 
but, more importantly, explore deeper program behoviors. 
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Dr. Xinyu Xing is an Assistant de at the Pennsylvania 
State University, and currently working at JD Inc. as a 
visiting researcher. His research interest includes exploring, 
designing and developing tools to automate vulnerability 
discovery, failure reproduction, vulnerability diagnosis 
(and trage), exploit and security patch generation. He was 
the speaker at BlackHat USA, BlackHat Europe and many 
academic conferences (e.g., USENIX Security and CSS]. 

He has also received hest paper awards from academic 
conferences such as CCS and ACSAC. His works have been 
featured by many mainstream media, such as Technology 
Review, New Scientists and NYTimes etc. He was also the 
organizer of NSA memory corruption forensics competition. 


Yaohui Chen is a PhD student in the Computer System 
Security program at Northeastern University's College of 
Computer and Information Science, advised by Professor 
Long Lu. Originally from Sanya, China, Chen earned his 
bachelor's degree at Tongji University in Shanghai before 
coming to Northeastern, where he now works in Professor 
Lu's Research in Software and Systems Security (RiS3) 
lab. Chen's research centers on security in Android and 
Linux systems. One of Chen's primary takeaways from his 
research thus far is the massive vulnerability that exists 
in cyberspace. By developing defense systems that help to 
prevent cyberattack, he hopes to address complex issues 
in system security and help to combat this vulnerability. 


Dr. Jun Xu is an Assistant Professor in the Department 

of Computer Science at Stevens Institute of Technology. 

He received his PhD from Penn State University, with a 
focus on cyber security. His research spans the areas of 
software security, system security, and binary analysis. 

He has developed new methodologies and techniques for 
vulnerability finding, analysis, exploitation, and mitigation. 
His research has led to the discovery of hundreds of 
previously unknown security defects. Jun is a recipient of 
ACM CCS Outstanding Paper Award, Penn State Alumni 
Association Dissertation Award, and RSA Security Scholarship. 


Dr. Jimmy Su leads the JD security research center in Silicon 
Valley. He joined JD in January 2017. Before joining JD, 

he was the director of advanced threat research at FireEye 
Labs. He led the research and development of multiple 
world-euding security products at FireEye, including network 
security, email security, mobile security, fraud detection, and 
end-point security. He led a global team including members 
from the United States, Pakistan, and Singapore from 
research to produci releases on the FireEye's first machine 
learning based malware similarity analysis Cloud platform. 
This key technology advance was released on all core FireEye 
products including network security, email security, and 
mobile security. He won the Q2 2016 FireEye innovation 
award for his seminal work on similarity analysis. He 
earned his PhD degree in Computer Science at the University 
of California, Berkeley in 2010. After his graduation, he 
joined Professor Dawn Song's team as a posidoc focusing 

on similarity analysis of x86 and Android applications. 

In 2011, he joined Professor Song in the mobile security 
startup Ensighta, leading the research and development 

of the automatic malware analysis platform. Ensighta was 
acquired by FireEye in December of 2012. He joined FireEye 
through the acquisition. JD security research center in Silicon 
Valley focuses on these seven areas: account security, APT 
detection, bot detection, data security, А! applications in 
securily, Big Data applications in security, and 107 security. 
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HACKING WIFI 
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Philippe Delteil & Guillermo 
Pilleux 


10:30-14:30 


14:00-1800 


САРТЈАМО, ANALYZING AND 
FAKING BLE COMMUNICATION 
НРК ДВИЈЕ ВЕЛИ 


Yimi Ни % Tao Guo 


SATURDAY 


10:30-1430 


14:00-1800 


ВАОСЕ HACKING WORKSHOP 
^W" DEP CON CHINA 
1.036) BET] 


Joe Grand (Kingpin) 


ADVANCED CUSTOM NETWORK 
PROTOCOL FUZZING 

1828 IL XL MI ИН 
III 

Јозћџа Регеуда 


SUNDAY 


HACK TO BASIS - X86 WINDOWS BASED 
BUFFER OVERFLOWS, AN INTRODUCTION 


10:00-14:00 


14. 


EXPLOIT DEVELOPMENT FOR 
BEGINNERS 

ПЛР АНА АЈ В 8: 
Sam Bowne & Elizabeth 
Biddlecome 


INTRODUCTION TO PHYSICAL 
ACCESS CONTROLS 
VyPEV АЕ WORKSHOP 


Valerie Thomas 


BADGE HACKING WORKSHOP 
"Wt DEF CON CHINA 
1.088 92 


Joe Grand (Kingpin) 


CAPTURING, ANALYZING AND 
FAKING BLE COMMUNICATION 
НИК ТИЕ ВГ Ез 


Үіті Но & Тао био 


REVERSE ENGINEERING MOBILE 
APPS 
SEED НИ ЈА Т.Же 
Sam Bowne & Elizabeth 
Biddlecome 


TO BUFFER OVERFLOWS. 


HACK TO BASICS - 1L | X86 


EXPLOIT DEVELOPMENT FOR 
BEGINNERS 
Е b RU ВЕНЕ 
Sam Bowne & Elizabeth 

Biddlecome 


ADVANCED CUSTOM NETWORK 
PROTOCOL FUZZING 

T2 | XL XLI ЕН 
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Joshua Pereyda 


INTRODUCTION TO PHYSICAL 
ACCESS CONTROLS 
МБ ДИЈЕ ОККЗНОР 


Valerie Thomas 


HACK TO BASICS - X86 WINDOWS 
BASED BUFFER OVERFLOWS, 
ANINTRODUCTION-TO BUFFER 
OVERFLOWS. 

HACK TO BASICS - Ж 
X86 ХІМрБОХ8 М wh pc 
iui 40], ЖЕ ЕРЕ и HH IV 
17721 

Dino Covotsos 8 Manuel 
Corregedor 


HACKING WIFI 
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Philippe Delteil & Guillermo 
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EXPLOIT DEVELOPMENT FOR BEGINNERS 
ӘНІН ІНІ PERIERE 


Sam Bowne 
Elizabeth Biddlecome 


Learn how to take control of Windows and Linux servers 
running vulnerable software, in a hands-on CTF-style 
workshop. We begin with easy command injections and 
SQL injections, and proceed through binary exploits 
induding buffer overflows on the stack and the heap, 
format string vulnerabilities, and race conditions. 


After this workshop, you will understand how memory is used 
by software, and why computers are so easily tricked into 
executing bytes as code that entered the system as data. 


We will exploit 32-bit and 64-hit Intel systems, and 
also ARM-based systems. We will examine modern 
Windows defenses in detail and learn how to defeat 
them, induding ASLR, DEP, stack cookies, and SEHOP. 


Previous experience with C and assembly language is 
helpful but not required. Participants will need a laptop 
that can run VMware or VirtualBox virtual machines. 


All materials and challenges are freely available at 501151055. 


info, and will remain available after the workshop ends. 
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Sam Bowne is ап instructor at City College San Francisco, and 
has been teaching hacking and security (105505 for ten years. 
He has presented talks and workshops at DEF CON, HOPE, 
RSA, BSideslV, BSidesSF, and many other conferences. He has 
a CISSP and a PhD and is a DEF CON Black Badge co-winner. 


Elizabeth Biddlecome is a consultant and a part-time 
instructor at City College San Francisco, delivering technical 
training and mentorship to students and professionals. She 
leverages her enthusiasm for architecture, security, and code 
o design and implement comprehensive information security 
solutions for business needs. Elizabeth enjoys wielding 
everything from soldering irons to scripting languages 

in cybersecurity competitions, hackathons, and CTFs. 
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REVERSE ENGINEERING MOBILE APPS 
HEP НА АЈ е 


Sam Bowne 
Elizabeth Biddlecome 


Ргасісе finding flaws in real Android and 105 apps in this 
fun, CTF-style hands-on workshop, and you will be ready 
їо avoid making security errors in your own apps. 


Android apps are very easy 10 unpack, analyze, modily, 
and repack; partly because of the open nature of the 
system, and partly because most companies neglect 
basic security measures. In this workshop, participants 
will hack apps from the Bank of America, IBM, Harvard, 
Home Depot, the Indian government, and other large 
organizations. We will find insecure network transmissions, 
broken cryptography, improper logging, and pervasive 
lack of binary protections. We will also analyze the way 
105 apps use network transmissions, and observe serious 
vulnerabilities in 105 apps from major companies. 


We will analyze Android internals in details, using the Drozer 
attack framework to inspect and manipulate intents to exploit 
insecure acivities and content providers. We will perform 

a protection level downgrade attack on an Android 4.3 
device,| removing security protections from the Twitter app. 


All 0055 materials are freely available on the Web, 
and will remain available after the workshop. 

All vulnerabilities were reported to the affected 
companies long ago, where appropriate. 
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Sam Bowne is an instructor at City College San Francisco, and 
has Бееп teaching hacking and security classes for ten years. 
He has presented talks and workshops at DEF CON, HOPE, 
RSA, BSideslV, BSidesSF, and many other conferences. He has 
a CISSP and a PhD and is a DEF CON Black Badge co-winner. 


Elizabeth Biddlecome is a consultant and a part-time 
instructor at City College San Francisco, delivering technical 
training and mentorship to students and professionals. She 
leverages her enthusiasm for architecture, security, and code 
10 design and implement comprehensive information security 
solutions for business needs. Elizabeth enjoys wielding 
everything from soldering irons to scripting languages 

in cybersecurity competitions, hackathons, and СТЕ. 
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HACK TO BASICS - X86 WINDOWS BASED 
BUFFER OVERFLOWS, AN INTRODUCTION TO 
BUFFER OVERFLOWS 


HACK ТО BASICS - #C- -X86 
WINDOWSIZ B DC th ЗЕЙІ, 
XT DG НА 2 

Dino Covotsos 

Manuel Corregedor 


Want to learn about exploit development but feeling 
overwhelmed at all the latest technologies and buzzwords? 


Hack to basics is a course which will provide you 
with foundational level exploit development skills 
with real world exploitation techniques. This will 
range from "Vanilla" ЕР overwrites through to 
Structured Exception Handler(SEH) exploitation and 
how egg hunters work with pracical examples. 


By the end of the course, Students can expect to know the 
basics of x86 assembly, induding some real world examples 
of exploiting vanilla EIP overwrites, ЗЕН exploitation and 
using egg hunters. This will provide an entry to the world 

of exploit development and a strong foundation to work 

off in order to make it easier to transition 10 the newer, 
more advanced technologies which are in place today. 


We will be using Python to construct our exploits, 
combined with a debugger such as Immunity or OllyDBG, 
it itis recommended to be familiar with both. 
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WORKSHÜPS 


Dino Covotsos is the founder and СЕО of Telspace Systems, 
a 100% South African-owned IT security firm, which started 
in 2002. Covotsos has many years of experience in the 
information security sector and has been involved in 
hundreds of information security projects worldwide. He is 
also a well-known presenter at international conferences, 
induding Hack In the Box, Sector, H2HC, DEF CON (Recon 
Village) and many more. Covotsos is also passionate about 
the information security community and is involved various 
community based projects. Covotsos is on the advisory board 
for the ITWeb Security Summit and has several industry 
certifications, such as the 0% ნ, 05СР, OSWP and CREST CRT. 


Manuel is currently employed as the Chief Operating 
Officer at Telspace Systems. Manuel has a passion for 
information security and over the years has gained a 
significant amount of knowledge and experience in the 
both the technical (operational) and management areas 
of information security. Throughout his career he has 
been involved in information security-related research, 
iraining, awareness and advisory projects targeting 
industry sectors, large financial/government institutions, 
multinational organisations and SMEs. Не has overseen 
a large number of projects, Manuel also facilitates and 
speaks at numerous conferences as well as taking part in 
radio interviews and forming рагі of specialist panels. 


Dino Соуогвов ДЕ Тејврасе Ѕуѕсеп ЈА МЕР ЛЕ 
TTE. Telspace Бузгспаз де 3 НЕЕ ОНЫ 
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CON (Recon Village) 44%) СомовоЊ ХИ E 2c 
ФКА, 162 ЕНЕВО Н. Covotsos 
ЕТТЕН ТІ e hn. ЕГЧ 
ИДЕ, ШО8СЕ, OSCP, ОБУРЖСКЕЗТ CRT, 


HACKING WIFI 
BRE МЕТ 


Philippe Delteil 
Guillermo Pilleux 
Wireless Networks (Wifi) are the most used type of 


network nowadays and most people don't know really 
how vulnerable they are, even WPA/WPA2 Enterprise. 


In this workshop we will cover most wifi encryptions 
being used today, how they work behind the scenes 
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and the theory of the cracking process. Also, you 
will be able to apply this knowledge on the spot 
with some reaMife-scenario wifi networks. 


Some encryptions are mathematically difficult їо crack, 
where the cracking process could take lifetimes. But 
not to worry, there still are ways to get around this 
with an attack called Man-in-the-middle (MITM). Ве 
wary! You never know to whom's Internet Access Point 
you're conneding and who's eavesdropping on you. 


Ever wondered how to get somebody's passwords of 

a website? After this workshop you will be able to 

supplant a website without the victim ever knowing it 

with Wifiphishing or DNS Spoofing the client's router. 

What to know before 
* linux commands (sed, awk, grep and the basic ones) 
ი Basic shell scripting 
* Basic knowledge about WEP/WPA/WPA2/WPS 


What you will learn 
• Ном wifi security works 
* How to audit a wireless network 


* How to perform and automate Wifi attacks 
(WEP/WPA/WPA2 (personal & enterprise)/WPS] 


• Howto use the cloud to crack 
passwords (GpuHash.me, AWS EC2) 


• Howto use your own СРИ to crack 
passwords. (in case you have one) 
How technical is the class 
• 40% theory and concepts 
• 60% writing and testing commands/ 
scripts and attacking wifls. 
What tools are we going to use 
* daircradkng (ifconfig, iwconfig, airmon-ng, airodump- 
ng, aireplay-ng, aircrackng, airbase-ng, airdecap-ng) 
ი  Reaver (reaver, wash) 
е Radius Servers (radiusd) 
. Pyrit 
.· tshark/Wireshark/tcpdump 
* Ейегсар 


What to read in advance 


*  Vivek Ramachandran & Cameron Buchanan, 2015, 
Kali Linux Wireless Penetration Testing Beginner's 
Guide, Birmingham B3 2PB, United Kingdom. 
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*aircrack-ng (ifconfig, iwconfig, airmon-ng, airodump- 


те, 


ng, aiteplay-ng, aitcrack-ng, airbase-ng, аіғаесар-па); 

*Reaver (reaver, wash) ; 

*Radius Ѕегуегѕ (radiusd) ; 

«Ругіс; 

*tshark/Wireshark/tcpdump; 

*Ettercaps 
Arta 916 ТИЈ SEPIUS 

*Vivek Ramachandran & Cameron Buchanan, 2015, 

Kali Linux Wireless Penetration Testing Beginner's 

Guide, Birmingham B3 2PB, United Kingdom 
ЖӨНІ: НУЛЫ А «Kali Гіпихас2 238 UA 
зет» ISBN: 9787115483683 А, 


Philippe Delteil is Computer Science Engineer from 

the University of Chile, he gave his first talk at DEF 
CON 26 Skytalks. Most of the time, he gives сіаѕѕеѕ for 
free in various topics: CTF, pentesting, programming, 
Basic computer knowledge. He's been working with 
Wifi hacking during the last 3 months. He has a 
company with a very clever name: Info-sec. 


Guillermo Pilleux has a B.CS. in Computer Science 

at University de Chile. Trainee in Info-Sec company 
doing Wifi hacking research. Founder and CEO of 
OneClick, ап automation solution for real estate bill 
paying. Worked in Guatemala for Opticality doing HTR 
(Handwritten-text-recognition) research. DEF CON 27 
will be his first time at DEF CON, he hopes to survive. 
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DEF CON CHINA 1.0 BADGE HACKING 
WORKSHOP 


"Wf." DEF CON CHINA 1.0Jf-F 
Wwe 
Joe Grand 


Want to dive deeper into the DEF CON China 1.0 Badge 
and discover some of the secrets hidden within? 

In this workshop, badge designer Joe Grand will 
discuss low-level details of the badge and guide you 
through setting up the development environment, 
exploring and modifying the firmware, and more! 


AURA ТІРЕ CON CHINA 1.0 НӘ 
оН: Н ПЕН ВИ р YEXXAMBEDPAS. ЛА Е 
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Joe Grand (Gjoegrand], also known as Kingpin, is a 
computer engineer, hardware hacker, DEF CON badge 


designer, teacher, advisor, runner, daddy, honorary 
doctor, TV host, member of legendary hacker group LOpht 
Heavy Industries, and the proprietor of Grand Idea Studio 
(grandideastudio.com]. He has been creating, exploring, 
and manipulating electronic devices since the 19805. 


Joe Grand ((2joegrand) , ВА y Kingpin, 
fU АРІ. ЕН. DEF CON 
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CAPTURING, ANALYZING AND FAKING BLE 
COMMUNICATION 


filis AHPURVADEIBLE JS [5 

Yimi Hu 

Tao Guo 

MI- X 

ЕБ 

In this workshop, ме will talk about ВІЕ communication 
security. As far as we know, BLE communication has been 
widely used in healthcare, heacons, and home entertainment 
industries. Thus, capturing BLE communication and doing 
some security research on BLE communication seems to be 
interesting. During this workshop, all necessary equipment is 
provided, such as CC2540, CC Debugger and corresponding 
software. Besides, BLE-ased devices, such as smart ШІ, 
smart doorlock and smart bracelet which we can find in 
our daily lives, will be analyzed and attacked. We hope 
our participants are familiar with Android development/ 
reverse-engineering or Embedded development/reverse- 
engineering. III 5 also ok, if they don't. And participants 
need to take his laptop with Win 7 or higher version. 

The whole workshop will be divided into 3 parts. And 

some challenges are left for participants in each part. 


Taking part in our workshop, you will get the following skills: 
1) Basic knowledge about BLE communication 

2) Sniffing BLE communication on the air 

3) Sending BLE packets to control devices unauthorized 

4) Faking BLE packets to deceive the controller 
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Yimi Hu, member of 0С0086, senior security researcher 
at PwnMonkey Security Lab of Beijing xFutureSecurity 
Information Technology Co., Ltd., has working on loT security 
for several years. During his career, he has committed many 
CVEs and CNNVDs on smart door locks, IP cameras and other 
devices from well-known manufacturer such as Samsung or 


Honeywell. He is also 0 public speaker. He has made many 
speeches at his country and is good at public speaking. 


Tao Guo, security researcher of xFutureSecurity Information 
Technology Co., Ltd., member of PwnMonkey Security 

Lab and DC0086, has been working on development 

of embedded devices for many years, and now mainly 
focuses on security analysis of embedded devices. 

Since when his attention is drawn to smart door locks, 
many vulnerabilities on world-famous smart door 

locks have been committed їо СМЕ and САМУР. 
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ADVANCED CUSTOM NETWORK PROTOCOL 
FUZZING 


Пра ава ЕУ А 
Јозћџа Регеуда 


Get hands on experience writing custom network 
protocol fuzzers. This class will cover the basics of 
network protocol "smart fuzzing." Exercises will utilize 
the open source network protocol fuzzing framework, 
boofuzz. Attendees will gain practice reverse engineering 
a network protocol, implementing and iterating on 
a custom fuzzer, and identifying vulnerabilities. 
After: 

* You will know the basics of fuzzing. 


* You will know how to write custom network protocol 
fuzzers using state of the art open source tools. 


* You will have hands on experience with this widely- 
discussed but still largely mysterious test method. 


Before (Prerequisites]: You should: 


•  Becomfortable doing some basic 
programming in Python. 


• Understand basic network protocol concepts (e.g. 
What is a protocol and what is a network layer). 


• Ве familiar with WireShark and how to use it. 
• Have a laptop with at least 8 GB of RAM. 


What you won't learn: 
* Exploit development. 
* Python programming. Because you 
can already do that (see above). ;) 


Fuzzing is a wide and deep field with a wide array 
of technologies. This class is a beginner-friendly 
deep dive into one niche of the fuzzing world. 


ЗК 23 А я У УВ САС ОЛ о XXI I 
104228 АЕ У 948 У ЗЕНА. 3 
ОЯН АЕ Боов ВЕР 2 
ЕЗБЕ ОУ ВИ и] LBS SER. 
SCHULE А ха УЉЕ АН. ЯЛАН 
ЕШ 5: 
ЕЕ УЕ 
ARTE | ААИ FE] foe fe ERAT UC 
Ан LI XE XIII ИМАН; 
ОЯ 
ИВЕ ВЊИУ ПА V 
18 


ПЕЊУ Wi. (тізе: 

· 2] fH Python у — ЕЈ; 
ЕА MER Cp 
ЖАНЫ АТАН ЛЕТНЕ) ; 
· RR HH WireSharkf-Ap38 lar fi JB : 
• jq ЕНУ IO RU 5 
тх]: 
“ па; 
* Рућоп в, УКЕ И о 

Д И ПЯ А АЈА, 211 2). 
МУКИ, Ж ТИАН ИЕ 

df. REDEANT REASONS] УА e 

Joshua is a software engineer specializing in information 
and network security. He has worked in the critical 
infrastructure and doud computing industries with 
employers heavily invested in software and hardware 
security. Among his passions are hacking, teaching kids to 


program, attending orchestral concerts with his wife, and 
figuring out how he сап get paid to do it all... legally. 


Joshua is the maintainer of the hoofuzz 
network protocol fuzzing framework. 
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INTRODUCTION TO PHYSICAL ACCESS 
CONTROLS 

Ayr ЈАЈРЕУОКК5УНОР 
Valerie Thomas 

Physical Access can be controlled by a variety of intelligent 
and simple devices. If you are wanting an overview 

of what these controls are and how they work, then 

this workshop is for уои. In this 61055, we will discuss 

the fundamentals of physical security, current and 


upcoming technologies, and how to put them all together 
in order to perform a red team style assessment. 


Basics 
* Facility access overview 
*  Credential and identity concepts 


* Physical Access Control System (PACS) fundamentals 
• What is RFID and why does it matter? 

Attacks 
е (НІ) hacking 
* Control system attacks 
е  Defeating physical controls (fences, gates, cameras) 
• Тһе human element of physical security 


Putting it all together 
е  Offsite/onsite reconnaissance 
• Attack planning and execution 
*  Postattack strategies 
* Reporting physical access finding 
ი Remediation approaches and reference material 
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Valerie Thomas is a technical director for Securicon that 
specializes in social engineering and physical penetration 
testing. After obtaining her bachelor's degree in electronic 


engineering, Thomas led information security assessments 
for the Defense Information Systems Agency (0154) hefore 


joining private industry. Throughout her career, Thomas 
has conducted penetration tests, vulnerahility assessments, 
compliance audits and technical security training for 
executives, developers and other security professionals. 
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listener-supported4 commercial-free4 underground/alternative 
internet radio broadcasting from San Francisco 
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LOCKPICK VILLAGE 
JF BI VILLAGE 

Want to tinker 

with locks and 

tools the likes 

of which you've The Open Organisation Of Lockpickers 

only seen in 

movies featuring police, spies, and secret agents? Then come 
on by the Lockpick Village, run by The Open Organization 

Of Lockpickers, where you will have the opportunity to 

learn hands-on how the fundamental hardware of physical 
security operates and how it can be compromised. 


The Lockpick Village is a physical security demonstration 
and participation area. Visitors can learn about the 
vulnerabilities of various locking devices, techniques used 
10 exploit these vulnerabilities, and practice on locks 

of various levels of difficultly to try it themselves. 


Experts will be on hand to demonstrate and plenty of 
trial locks, pick tools, and other devices will be available 
for you to handle. By exploring the faults and flaws 

in many popular lock designs, you can not only learn 
about the fun hobby of sport-picking, but also gain 

a much stronger knowledge ahout the Без! methods 
and practices for protecting your own property. 
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CAR HACKING VILLAGE 
ЖЕН VILLAGE 


Car Hacking Village is an interactive, hands-on 
experience. There you can use vehide network 
tools, software, and electronic control modules to 
learn or practice vehicle hacking. Connect to cars 
where you don't have to worry about breaking. 
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Bring your laptop and 
RF tools to play our 
Def Con China (ТІ. 


Learn about Key Fobs, 
CAN Bus, Automotive 
Ethernet, and vehicle 
electronics. The CHV will 
host several hands on 
work shops throughout the day, please check out the 
village ог CarHackingVillage.com for information. 


ЕЛИ аде и АЗ წ zl BU Sz Village , 
ააა... ВЕЛИ ЕЛ BETA. 
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RECON VILLAGE 
[iid VILLAGE 


Recon Village is an Open 
Space with Talks, Live Demos, 
Workshops, Discussions, 

CTFs with a common 

focus on Reconnaissance. 
The village is meant for 
professionals interested 

in areas of Open Source 
Intelligence (OSINT], Threat 
Intelligence, Reconnaissance, and Cyber Situational 
Awareness, etc. with a common goal of encouraging 
and spreading awareness around these subjecis. 


fpi Village 4-7 RB Zu]. 03а ЕҢДІ 
SERIA. ВИДЕ, ӨНУ. WIEXCIF. XX 
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HARDWARE HACKING VILLAGE 
RATE VILLAGE 


Come join us for 


hardware შეუ | 

teaching, e M 
and exploration. " MV 

We help you make IL 


your own use for 
things. We provide the tools and supplies for your hardware 


hacking pleasure; our volunteers help facilitate that. We might 
not have every tool under the sun, but we сап help cobble 
something together in order to break, make, and repurpose. 


ЖАНА ЕСТ, HR. 627 
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PACKET HACKING VILLAGE 
25 6) XL ЖУПА.АСЕ 


The Packet Hacking Village 
is where yov'll find network 
shenanigans and a whole 
lot more. PHV welcomes 

all DEF CON attendees and 
there is something for every 
level of security enthusiast. 
This village was created to 
help enlighten attendees 
through education and awareness while focusing 
on defense and blue team techniques. 


Te BL у аде, ЗЫ 26. 
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BLOCKCHAIN VILLAGE 
ЕВЕ VILLAGE 

Bits and Blocks 

AtBitsand Blocks — суі 

we showcase 

networks built 2 

on blockchain "E % 

technology. Applications controlling assets with distributed 
transactions are examined. Mandarin speakers and English 
speakers are welcome to experience a free blockchain 
workshop for beginners in the Bits and Blocks village. 
https;//www.bitshlocks.org/ 

Developments at BAT (Baidu, Alibaba, Tencent) as 

well as ІВМ, Amazon, and Opensource projects like 
cryptocurrencies and the Hyperledger are explained. 

Please come to Bits and Blocks to share your blockchain 
experience and meet other security engineers. 


For advanced hackers, Bits and Blocks features detailed 
guidance on the Schnorr signature algorithm, the 
cryptographic Merkle tree, and confidential transactions. 
Several hardware ргојесіѕ showcase developments 

in device driven blockchain applications. 
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BCOS Blockchain Village 


As innovations 
in Blockchain 
Technology 
are 


= 90, Blockchain 
с. S e Village 


making new |б, every day, ме have а lot 

о catch up on security front. Blockchain Village at DEF 
CON brings the latest of cool and exciting research, 
breaches, hacks, discussions, innovations and papers with 
hands workshop all focused on Blockchain Security. 
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VXCON VILLAGE 


VXCON (Variety 
eXploitation) 
Village is held by 
VXRL Hong Kong. 
VXRL is founded 

by a group of 
passionate security 
researchers and white-hat hackers in Hong Kong. Our team 
has deep expertise in software and hardware security, and 
we have hands-on domain knowledge in several vertical 
industries. Our mission is to make the cyberspace a safe 
place for the future. Our village this time will cover not only 
chip-off technique but alos some hardware like SMD badge 
soldering skill. It is an in-depth hand-on playground. 


VXRL ХЕР ен. НЕКЕ 
ДЕУИ А В о ТЕБИ Ch 
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AI VILLAGE 

Artificial learning — 
МУНИ /дТУ/> 
სასი» ТІЛІ, 
and network traffic 


analysis. Their use has A G Е; 


opened up new vectors aT реғсон// 

for attacks against –_ 
nondraditional targets, such as deep learning bused image 
recognition systems used in self driving cars. There are 
unique challenges in defending and attacking these machine 
learning systems that the security community needs to 

be made aware of. This Al Village will introduce DEF СОМ 
attendees to these systems and the state of the art in 
defending and attacking them. We will provide a setting 10 
educate DEF CON at large through workshops and a platform 
for researchers in this area to share the latest research. 
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Baidu mesaTEE 
ШІ МеваТЕЕ 


Curious on Intel SGX? Come and join us at the MesaTEE 
Village! Learn anything you want to know about Intel 
SGX and secure 56Х programming in Rust or Python. 
Lots of fun with hands-on experiments and challenges 
on MesaTEE. Surprising gifts for challenge winners! 
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BUGZEE SOLDERING VILLAGE 
ВОС ЕЕ ЊЕ VILLAGE 


BugZee soldering Village is here to teach soldering and basic 
electronics in the most creative and fun way possible. Since 
hackers love bugs, we took inspiration from nature and 
OWASP logo to make an electronic rendition of a bee. We call 


it BugZee and it's 
our tribute to the 
ОМАР community. 
Its entirely made 
ош of electronic 
components and 
stands tall on 

its resistor legs. 
When soldered 

and powered to 
life, it moves around making a buzzing sound and glows 


wings in the dark. 1/5 very intuitive and not too technical for 


anyone and everyone who wants to learn to solder or just 
wants to have a physical rendition of OWASP hacking bug. 
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BLACK WINDOW 
ABIDE 


Black window village offer the hasic physical penetration 
teaching for participant. We also build the model office 
for the participant to try the physical penetration. Content 
indude the least of bypassing infrared alerts, drop the 
detectaphone, stealing the secret files and so on. 


You can defend better only when you know how 
to attack. Physically experiencing the physical 
penetration protection helps protect the property 
of your individual and your enterprise. 
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DEF CON Security Geek 
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PRESENTATION SCHEDULE 


FRIDAY ЖЗ. SATURDAY ЈЕ НИ 


CREATING THE DEF CON CHINA 10 
BADGE 

DEF CON CHINA 1.0 
ФЕДЕ 


Joe Grand 


TRANSFERABILITY ОЕ ADVERSARIAL 
EXAMPLES TO ATTACK CLOUD-BASED 
IMAGE CLASSIFIER SERVICE 

ДЕЗ ВИА ICI >> У 
жи ауа 

Liu Yan, Wei Тао, Hao Xin, Wang 
Yang 
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BRIDGE ATTACK: DOUBLE-EDGED 
SWORD IN MOBILESEC 
Mex: В) % 421110 XX 
DIET 

Zidong Han 


И?" 


e. 
ES 


WARNING: MAGNITUDE 10 
EARTHQUAKE IS GOMING IN ONE 
AINUTE 

о а 
ЈЕ 

Weigvang Li, Lin Huang & Yuwei 
Zheng 


[AG-SIDE ATTACKS AGAINST МЕС 
ЗА МЕС 
hristopher Wade 


ACKING DRIVERLESS VEHICLES 
^ А 1115 76 ЛАЗЕ 


HE ART OF GAME SECURIT Y 

JU Ze 4 თ У 

Joey Zhu 

YOU ARE NOT HIDING FROM ME .NET 
NETS 

Aden Chung 


DEREVOLUTIONIZING 05 FINGERPRINTING: 


THE CAT AND MOUSE GAME 

ДЕ БАЙҒА: 224492 ДІНІ 

Jaime Sanchez 

CHINESE MECHANICAL LOCKS - AN 

INSIGHT INTO A UNIQUE WORLD OF 

LOOKS 

вазе: XR > 

gU 

Lucas Zhao 

FACE SWAPPING VIDEO DETECTION 

WITH CNN 

"შა. МАРА ЈУДЕЈИ 
ТА) 

ამი Wang, Hao Xin, Junfeng Жопа, 

Liu Yan & Wei Tao 

ЕНЕ, ЯТ, REA ES XI 6C & 6-9 

HOW TO PERFORM SECURITY ANALYSIS 

ОМОТ EQUIPMENT THROUGH BUILDING A 

BASE STATION SYSTEM 

IMXIIIXII XI: НЕЕ ЗИЯ 

И 

Жао HuiHui 

МКЖ 

ATTACKS YOU CAN T COMBAT: 

VULNERABILITIES OF MOST ROBUS 

MOBILE OPERATORS 

ВЕНА: ЛЕТІН) 

ДЕРІНІҢ 

Sergey Рихапкоу 

PV666 - ADDRESS OF THE BEAST 

IPV666: ЈЕ ВЕЋЕ 

Christopher Grayson 8 Marc Newlin 
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(ТОН THEM ALL: 10+ YEARS 
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AODERN MALWARE: DE-OBFUSCATION, 
EMULATION AND ROOTKITS 
БИЕ: ОДВОЈЕ 


Alexandre Borges 


SUNDAY АН 


BREAKING THE BACK END! IT IS NOT 
ALWAYS A BUG. SOMETIMES, IT IS JUST 
BAD DESIGN! 

TIRE Ла а Pen]! КЕРА 
Ta, P EJÉBUGRISS 


Gregory Pickett 


OIPSHARK: OPEN SOURCE VOIP 
NALYSIS PLATFORM 
/OIPSHARK: Jf iji VOIPZ)H/t 
МЕ dE 

ishant Sharma, Ashish Bhangale & 
Jeswin Mathai 


FROM ANGIENT TO MODERN: 
AGNOSING АООТ CAUSE OF 
SOFTWARE VULNERABILITIES FROM 
EXPECTED CRASHES 
r. Xinyu Xing & Dr. Jimmy Su 


MISSION IMPOSSIBLE: STEAL KERNEL 
DATA FROM USER SPACE 
Yueqiang Ch Panel 
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АС СЕВЕМОМЕ 


PRESENTATIONS 


MODERN MALWARE: DE-OBFUSCATION, 
EMULATION AND ROOTKITS 


БАЕ: ОД ОД 


Alexandre Borges 
Security Researcher, Blackstorm Security 
Blackstorm Security, 2 ЛЕ ТЕРА 


Modern advanced malware samples are used to infect 
countries and they make part of the current cyber war, 
cyber espionage and financial attacks. Furthermore, 
critical actors, who write these malicious codes, try to make 
the static and dynamic analysis really hard by heavily 
obfuscating and, eventually, virtualizing codes using 
techniques such as CFG, call stack manipulation, dead 
code, opaque predicate and so on. Understanding these 
concepts and how they are used with virtualized раскег is 
an advantage їо learn the main anti-reversing techniques. 


Therefore, to manage complex scenarios as exposed 
above, we are able to use frameworks such as МЕТАЅМ, 
MIASM and several dynamic static emulation techniques 
їо make code simpler. At end, the goal is їо reduce 

ће code (most of time by using symbolic analysis], 
making us able to get a better understanding about the 
threat. Additionally, the introduction of dynamic tracing 
(DTrace) on Windows can help us to having a better 
understanding about programs and their behavior. 


This presentation aims to show concepts and a 
practical approach on how to handle these reverse 
engineering challenges and techniques. 
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Alexandre Borges is a Security Researcher, who has 


been working on Reverse Engineering, Malware Analysis 
and Digital Forensic Analysis for many years. 
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Usually, he teaches training courses about Malware 
and Memory Analysis, Digital Forensics, Mobile 
Forensics and Mobile Malware Analysis around the 
world. Furthermore, Alexandre is the creator and 
maintainer of Malwoverview triage tool: https;// 
github.com/alexandreborges/malwoverview 


Alexandre has spoken in several conferences such as 

DEF CON 2018, H2HC conference (2015 and 2016), 
BSIDES (2016, 2017 and 2018), BHack (2018), НТВ 2019 
(Amsterdam) and CONFidence Conference 2019 (Poland). 


Alexandre Вогас Ф А. ЛЕЖИ 
а ARR, РУНЕТ 


ЕН НВК ЛЕ ЕЛИ РЈ Е 
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MISSION IMPOSSIBLE: STEAL KERNEL DATA 
FROM USER SPACE 

Yueqiang Cheng 

Tipos 

Staff Security Scientist, Baidu USAX-Lab. 

Zhaofeng Chen 
ЈЕ 
Staff Security Scientist, Baidu Ха 
Yulong Zhang 
99/2 

Principle Security Scientist, Baidu 
Yu Ding 
EE 

Staff Security Scientist, Baidu Ха 
Tao Wei 
d 

Chief Security Scientist, Baidu Хар 


With the introduction of GDPR and the emphasis on 
privacy, more and more companies and research 
institutions have begun to pay attention їо data privacy 
protection. Among the protection schemes, using the 
kernel to protect private data plays an important role. 


However, Meltdown and 5редте as a CPU vulnerability 
allow a rogue process to read the kernel data in CPU L1-d 


cache, even when it is not authorized to do so. Until now, 
the only effective mitigation approach was to isolate kernel 
memory from user-mode processes. This solution has 
different names on different platforms: Kernel Page-Table 
Isolation (КРТІ) on Linux, Kernel Virtual Address (КМА) 
Shadow on Windows, and Double Map (DM) on 05 X. 


In this talk, however, we will prove the illusion that the strong 
isolation of KPTI has perfectly defeated Meltdown to be 
incorrect. First, we propose Variant V3r to demonstrate that 
Meltdown can be improved to be more powerful and reliable 
than what people originally thought. Variant V3r significantly 
increases the reliability for a rogue process to read any kernel 
data (not necessary in 11-0 cache) on multiple platforms. 
Next, we further propose an even more powerful attack, 
Variant V3z, that allows a rogue process to bypass KPTI and 
reliably read any kernel data. To the best of our knowledge, 
V3z is the first Meltdown variant that is able to defeat KPTI. 


To demonstrate the reliability, efficiency, and effectiveness 

of these two new variants, we will show demos that 
unprivileged processes can reliably leak secrets from 
anywhere in the kernel space, even in the presence of KALSR. 


Finally, we will offer suggestions to mitigate 
our proposed threats, and we call for more and 
more parties to join in this effort to improve the 
security of processors and operating systems. 
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Yueqiang Cheng is a Staff Security Scientist at 
Baidu USA Х- аб. His research interests focus 
on System Security (e.g., SGX, Virtualization), 
Blockchain Security, and Side Channel Security. 


Zhaofeng Chen is a security researcher from Baidu 
X-Lიხ, focusing on 105//тас05 security. 


Yulong Zhang is currently working at Baidu conducting 

ће research and development of the next generation 
methodologies to analyze advanced mobile malware, and to 
design security produdss to detect and defend mobile threats. 


Yu Ding is a staff security scientist at Baidu X-Lab. His 
research interesis are security issues around Intel SGX, secure 
decentralized systems, and security protocol analysis . 


Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to 
joining Baidu, he was an associate professor at Peking 
University. His research interests include software 
analysis and system protection, web trust and privacy, 
programing languages, and mobile security. 
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YOU ARE NOT HIDING FROM МЕ МЕТ 


МЕТИН 
Aden Wee Jing Chung 


Threat Hunter, F-secure Countercept 


F-secure CountetceptzZ Jk Jj 8-54 


For years, we at Countercept have seen adversaries across 
the threat pyramid make use of PowerShell 1001-15 for 
lateral movement, data exfiltration and persistence over 
different environments. As defenders, we have done a 


pretty good job - PowerShell is a fading threat in time. 
Mimikatz execution through PowerShell? AMSI and 
PowerShell logging сап handle that relatively well. 


However, adversaries being adversaries don't just give up. 
They have migrated tool-Kits 10 areus where visibility is 
still limited – such as МЕТ. Favoured by adversaries due 
to its wide range of functionulities, ease of development, 
and default presence on modern Windows platforms, 

we have seen a significant increase in exploitation 
toolkits leveraging МЕТ to perform usual activities - but 

in an area where they are relatively hidden. 


First, we'll take a look at these tools - what they do, and 
how they work. Techniques such as DCOM object abuse, 
runtime code compilation and in-memory assembly loading 
(performed by the DotNetToJscript project) would be 
examine in detail. These techniques are used by exploitation 
toolkits such as GhostPack, SharpShooter, and SileniTrinity, 
and thus are very relevant to defenders. We'll then focus 

on detection. We'll examine the indicators such toolkits 

and techniques leave behind, and how we can detect 

them utilising various sources of telemetry, collected via 
open-source tooling, such as process logging, DLLs imports 
and ETW tracing of ЛТ compilation or Interop events. 


At the end of the day, attendees will walk away with 

an understanding of the inner workings of various 

МЕТ techniques as well as how they can be used to 
compromise а windows machine siealthily. Additionally, 
attendees will learn how a defender can leverage on 
open source tooling to detect and hunt for МЕТ attacks. 


Countercept4 ЖБЖ s CUBE $9 gulae а ИУ 
fit jPowerShell T. АЕ 45 fs] А НЕ АЈ, 
а), МОДЕНА Gs РЕДНИ, 
ЖИЕ JJ iEPowerShell p J^ ЖЕНА ABS] elt 
Wh. def а Ромегће ҢА у Mimikatz ?AMSI 
filPowerShell Н zz VI Dt [6] 8845-853 XLII f Do 


ЖЕТІ, ХРАНА lcu DRE 
ERE STRE ПЕН ЕВО МЕТ), SER. NET 
ЈЕНЕ EpTJTADUYESUNWindows 

8 LM ЖЕ. ЕРИ ИЕ 
TESERUT МЕТИ ІІ 22 А600 30 
Жп, [EUG RS РУНА ЕНИ UR, 


Tic. тета. ФП T RAS IE RR 
ТЕЛІ Y fik. ЭБЧОСОМХ ШЕНІ. 3e (TREATS 
d ERA erp RIT DC HEDotNetToJscript 

XIII BUD ВЕЖУ РЕДНИ Эре 
ЕЕГ, "npGhostPack, Зћагр5ћооге 1 
SilencTrinity (RI А], РЕ ау ИН 
A. ZU 14 ЕНИ ОВАА L 
БИН ФӘНИ. ІНЖІЛДІ T Folio 5 
MM PE WU СЕ ЋЕ | | іп. ОП. АЖЕТЧ/ 
მახე II A E SX БАРЕ SOS I ВИ 


жара. SUE ГАМЕТЕ 
ARV ETEJSGR. I MM 8 FE IX ICI 


= 


МАРИНИ Ол п до ЖК, 22 
282 ГЕВАРА АДИ ТИНА TT ACRES T. 
АМЕЛИ ZR VECHIGE 


Aden performs hand to hand detection and response 
combat, with real world adversaries 05 port of his 
life as a Threat Hunter at Countercept. Armed with 

a rainbow colored keyboard, ensuring no activity 

is left undetected is Aden's focus, regardless of 
toolkit, geographical origin, or sophistication. 
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CREATING THE DEF CON CHINA 1.0 BADGE 
DEF CON CHINA 1.0664 
ii 

Joe Grand 

(Kingpin) 


In honor of the first official DEF CON China event, 

we present to you a badge with a purpose. Created 
with the specific goal of bringing the DEF CON China 
community together, the badge is a fun, open source, 
hackable, and reusable electronic device. 


Join badge designer Joe Grand as he guides you 
through the entire badge development process, 
induding early concepts, prototyping, manufacturing, 
and all of the challenges he faced along the way. 
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Joe Grand ((Gjoegrand], also known as Kingpin, is a 
computer engineer, hardware hacker, DEF CON badge 
designer, teacher, advisor, runner, daddy, honorary 
doctor, TV host, member of legendary hacker group LOpht 
Heavy Industries, and the proprietor of Grand Idea Studio 
(grandideastudio.com). He has been creating, exploring, 
and manipulating electronic devices since the 19805. © 
joegrand (Twitter) and http;//www.grandideastudio.com 


Joe Grand ((joegrand), X 4Kingpin, ЖІ, 
ЖЫ. МУР. DEP СОМЕ Ж 
სწა ІН. НЫН. ARTE. AATPER/E. IL 
ЖЕ. РИ А АІ Орће Heavy Industries 
ІЛКІ. Grand Idea Studio (granddeastudio.com) 
ВТ. B2OTEZISO4E [C DIOE. /ს- ELS 
ШАБ], НИЕ АНД. @јосагапа 


(Twitter) http:/ /www.grandideastudio.com 
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IPV666 - ADDRESS ОЕ THE BEAST 
IPV666: ЈЕВ 


Christopher Grayson 
Security Engineer, Bird Ride. 

Bird Ride ff c4 ТЕЛІ 
Marc Newlin 

Security Engineer 

пољ fai 


Global adoption of IPv6 continues to grow, with Google 
reporting IPv6 as 25% of its client traffic. IPv6 comes with 
a slew of improvements from larger address space to 
self-organizing addressing to required support of multicast, 
but these improvements are a double-edged sword. 

With NAT going away, DHCP no longer being required, 
modern operating systems and networks supporting and 
preferring ІРуб over IPv4, ICMP being required for network 
operation, iptables not applying to IPv6, and multiple 

IP addresses being associated with individual interfaces, 
IPv666 conjures the perfect storm of fail open defaults. 


Why, then, haven't more boxes been popped via IPv6? 
It turns ош finding live hosts over ІРуб is a non-trivial 
problem (2^128 is a little bit bigger than 2732)! 


In this talk we will cover how we've approached solving the 
ІРуб address discovery problem. We'll cover the various 
mistakes we made, the predictive clustering model and 
neighboring address discovery that we've built into our 
ipv666 toolkit (with a new and improved discovery rate of 
343 addresses per second), and the new weh portal we've 
created that provides access to our aggregated IPv6 address 
data set. In providing this data and tool set we hope to enable 
researchers to evaluate the security posture of IPv6 hosts. 
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Chris Grayson (OSCE) is a security engineer at Bird Ride. In 
this roles he designs and implements distributed systems 
and addresses security issues at scale. Prior to joining Bird 
Rides Chris was a security engineer at Snap, Inc., a founder 
at Web Sight, a senior penetration tester at Bishop Fox, and 
a research scientist at the Georgia Institute of Technology. 
During his tenure at these organizations Chris grew into both 
a breaker and a builder, becoming adept at compromising all 
manners of systems as well as designing and implementing 
mechanisms 10 protect them. Chris has spoken at numerous 
security conferences such as DEF CON, ТоогСоп, ShmooCon, 
and HushCon, and attended the Georgia Institute of 
Technology where he received two degrees and organized 
and lead the Grey Ht student hacking organization. 


Marc is a security engineer by day, and SDR hacker hy night, 
having 015010560 wireless vulnerabilities to 21 vendors in 

the last two years. A glutton for challenging side projects, 

he competed solo in two DARPA challenges, although he 
never went to college. In 2013-14, Marc got into SDR by 
competing in the DARPA Spectrum Challenge, placing second 
in the preliminary tournament. In 2011, he wrote software 
10 reassemble shredded documents, finishing the DARPA 
Shredder Challenge in third place out of 9000 teams. 
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BRIDGE ATTACK: DOUBLE-EDGED SWORD IN 
MOBILESEC 


IC: ЗЕ ЕН А ІЗ 
Zidong Han 
Tencent Mobile Security Labs, Razor Team 


ЖЖ 
МН ӘУЕ ЕЗ ЗЕ 24-00-9661 


Bridge Анаск(ВА) is new attack surface for mobile phone 
and I0I devices in LAN. The abstract bridge is usually 
implemented by some custom schemes or protocols, such 
as Javascript Bridge in webview, Upnp Protocol in 107. In 
some cases, the Bridge's expanded ability makes the risks 
of devices in LAN, and the vulnerability can be persistently 
exploited with a common web attack (Eg. XSS/CSRF) 


Bridge Attack finds the potential vulnerability іп 
communication between internal and external 
components. We think that external component gives 
more data-flow attack entries which should be checked 
identification in the internal component. That means 
bridge attack makes devices in LAN face more attack 
risks which can lead to remote code execution, sensitive 
data leak and 107 devices being controlled. 
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Tidong Han, is an android security researcher from Tencent 
Mobile Security Lab, Razor Team. Focuses on mobile 
security research, especially App vulnerability and 107 
related security research, Attended HITB-SECCONF-2018- 
Beijing,as 0 speaker in CommSec: "Who Hijacked Му 
Smart Home: Опе URL to Hack ALL 107 Device" Attended 
GeekPwn 2018, Hack Pwn in House. Found and exploited 
more than 20 vulnerabilities in eight kinds of 107 devices. 
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WARNING: MAGNITUDE 10 EARTHQUAKE 15 
COMING IN ONE MINUTE 


ფს. ТОЕ “2-9IIIX 


Weiguang LI 
LTE Security Researcher from 360 Technology 


JingLi Hao 
Yuwei Zheng 


Public warning system (PWS) based on mobile 
communication system is used to alert the public їо 


emergency events such as earthquakes, tsunamis, hurricanes, 


eic. We carefully study the PWS in LTE network and uncover 
the vulnerability of PWS in LTE air interface, i.e., the warning 
messages of the PWS are not encrypted or signed when 

they are transmitted over the air. Thus, it is possible that 
malicious PWS warning messages Сап be transmitted. 


We simply use a low cost soft define radio (SDR) 
device and modify not much code of the [TE open 
source project srsLTE in order to forge the warning 
messages. Both Apple and Android test mobile phones 
are affeced by our forged warning messages. 


Fake PWS warning messages will cause serious panics 
among the population, they also could be used to send 
advertising or spam messages. The public warning 
system may become paralyzed and useless under the 
threat of the abuse of fake warning messages. 
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Weiguang Li is a mobile network security researcher 

from UnicornTeam of 360 Technology Co. Ltd in China. 

He mainly focuses on GSM and LTE security, He is also 
interested in NB-IOT baseband reverse engineering and 
software-defined radio development. WeChat: Colorlight 
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Yuwei Zheng is a senior security researcher from 
360 technology. He focuses on the security issues 
of embedded hardware and 107 systems. He was 
the speaker of DEF CON, HITB and BlackHat. 


JingLi Hao is a researcher of 360 Security Research 
Institute, member of Unicorn Team, satellite hacker 
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СОТ ТО 6 ТОН THEM ALL: 10+ YEARS OF 
WAR STORIES GLITCHING EMBEDDED AND 
107 DEVICES 


ТОА: Wo ied; STO TAURI 
Шыған 


Катіго Раге|а 
Technical Leader, Riscure Security Lab China 


TORIA GQRiscure ЕР ҰЗ 


оз 


Fault injection, also known as glitch attacks, is a hardware 
hacking technique that has been successfully used to 

attack all kind of targets for more than 20 years. However, 
most of the security experts ignore about its existence or 
understates its risks. With the recent decrease on the tooling 
cost required to perform fault injection, these type of attacks 
have become affordable for the masses. At the same time, 
ће generalization of secure coding practices and the rise of 
the [07 devices based on small SoCs is increasing the interest 
on these and other hardware attacks, as quite often nowdays 
they are the only resort to attack some electronic devices. 


In this talk, we tell our war stories about performing fault 
injection attacks on a wide variety of devices used by 
different industries. Our real stories - a compendium of 
more than 10 years of experience as hardware security 
analysts - will cover the full spectrum what fault injection is 
about. We will be talking about shooting lasers, breaking 
military grade cryptography, unblocking locked devices, 
revealing the deepest secrets hidden in the hardware and 
much more. But not everything is lost for your electronic 
devices! We will also talk about how you can protect your 
hardware and software against these powerful attacks. 
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Ramiro Pareja is the technical leader of the Riscure security 
testing laboratory located in China. He has large experience 
on hardware security and he specializes on Embedded 
Systems and SoC security. In the last years, Ramiro has 
developed an interest and expertise in the automotive 
industry (embedded and connected technologies deployed in 
modern vehicles], applying fault injection and side channel 
attacks - very common in other markets like smartcards ог 
content protection – to the automotive electronic systems. 


If it has chips, he can break it ;) 
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BREAKING THE BACK END! IT IS NOT ALWAYS 
A BUG. SOMETIMES, IT IS JUST BAD DESIGN! 


1) BOR mdi]! ИУ АИ, Ж 
ЖЛЕВОСІМЯ 


Gregory Pickett 
Cybersecurity Operations, Hellfire Security 
Hellfite Security ји] а 2744 TD 


Reverse engineering is critical to exploitation. However, 
going through the process of reverse engineering can 
often lead to a great deal more than just uncovering 

0 bug. So much so that you might find what you need 
for exploitation even if you don't find a bug. 


That's right. If you go through object data, object 
representation, object states, and 51016 changes enough you 
can find out quite a lot. Yes. Poor application logic is a bitch. 
Just ask any application penetration tester. This time it is 

not the magstripe. It's appsec and you will get їо see how 
application attacks can be used against a hardware platform. 


In this talk, I will go through the journey that | took in reverse 
engineering the public transportation system of an east asian 
теда-йу, the questions that | asked as | wondered "How 
does this work?", the experiments that | ran to answers those 
questions, what | learned that lead me to an exploit capable 
of generating millions of dollars in fake tickets for that very 
same system, and how other designers can avoid the same 
fate. Not without risk, this research was done under a junta 
50 | will also Бе telling you how I kept myself out of jail 

while doing it. Please join me. You won't want to miss it. 
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Gregory Pickett СІЅ5Р, GCIA, СРЕМ has a background in 
intrusion analysis for Fortune 100 companies but now 
heads up Hellfire Security's Managed Security Services 
efforts and participates in their assessment pradice as 

a network security subject matter expert. As a security 
professional, his primary area of focus and occasional 
research is networks with an interest in using network traffic 
10 better understand, to better defend, and sometimes to 
better exploit the hosts that live on them. He holds a 8,5. in 
Psychology which is completely unrelated but interesting to 
know. While it does nothing to contribute to how he makes 
a living, it does demonstrate how screwed up he actually is. 


Gregory Pickett CISSP, ОСТА, СРЕМ Л 
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ATTACKS YOU CAN'T COMBAT: 
VULNERABILITIES OF MOST ROBUST MOBILE 
OPERATORS 


ЛМЕ ОЛЕН rg HAE 
РА НА 


Sergey Puzankov 
Telecom Security Expert, Positive Technologies 


Positive Technologies, IL / 2C4>#%C 


The mobile world is moving to 56. However, there are billions 
of subscribers who still use old 26 and 36 networks. These 
networks rely on the 557 (Signaling System #7) protocol 
stack that was developed in the 19705. The 557 stack was 
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supposed to be used as an isolated network within a small 
dub of large telephone operators, so nobody thought about 
upperdayer security mechanisms. Further development 

of 557 brought the possibility of sending signaling traffic 
over IP networks. Thus, the 557 stack got vulnerabilities 
"by-design" that allow an external intruder to perform 
such attacks as location tracking, service disruption, SMS 
and voice call interception. Mobile operators, equipment 
vendors, and non-commercial organizations (such as the 
GSMA - the association of mobile operators) are aware 

of the problem. They develop and implement security 
solutions mitigating threats from 557 networks. 


Our recent research shows that 557 has vulnerabilities 
that allow bypassing any protection tools. Manipulation 
of parameters on different layers of an 557 message 
may help an intruder to cheat a security tool and achieve 
the goal even with subscribers served by a well-protected 
network. The research findings were reported to the 
65МА Coordinated Vulnerability Disclosure Programme 
and FASG (Fraud and Security Group]. The report was 
used for a security recommendations update. 


In this presentation, | will demonstrate how an intruder can 
use new 557 vulnerabilities to Вура55 security tools. | will 
explain why it is possible and how network equipment (6005 
10 malicious traffic. In addition, | will give recommendations 
1o operators on how to make their networks more secure. 
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Sergey was born in 1976. He graduated from Penza 
State University with a degree in automated data 
processing and management systems in 1998. Before 
joining Positive Technologies in 2012, he worked as a 
quality engineer at VimpelCom. Being a security expert 
in telecommunication systems at Positive Technologies, 
he researches signaling network security and participates 
in audits for mobile operators around the world. 


Sergey is also the general developer of the PT Telecom 
Vulnerability Scanner tool, member of the PT Telecom 
Attack Discovery development team, writes Positive 
Technologies annual reports on telecom security. 


He is part of the team that revealed vulnerable points 

in popular two-factor authentication schemes using 

texis and demonstrated how easy it is to compromise 
Facebook, WhatsApp, Telegram accounts, and a Bitcoin 
wallet. Apart from that, Sergey actively contributes the 
results of security research and discovered vulnerabilities 
o global organizations, such as GSMA and Т. 
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DEREVOLUTIONIZING OS FINGERPRINTING: 
THE CAT AND MOUSE GAME 

ЖАЙҒА: ЕРЕЕН 
Jaime Sanchez 


Glohal Security Research Lead, Telefónica 
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With the explosive growth and distributed nature of computer 
networks, it has become progressively more difficult to 
manage, secure, and identify Internet devices. An outsider has 
ће capability to discover general information, such as which 
operating system a host is running, by searching for default 
stack parameters, ambiguities in ІЕТЕ RFCs or non-compliant 
TCP/IP implementations in responses to malformed requests. 
By pinpointing the exact OS of a host, an attacker can launch 
an educated and precise attack against a target machine. 


There are lot of reasons to hide your 05 to the entire world: 


*  Revealing your 05 makes things easier 10 find and 
successfully run an exploit against any of your devices. 


* Having and unpatched or antique 05 version 

is not very convenient for your compuny prestige. 
Imagine that your company is a bank and some users 
notice that you are running an unpatched box. They 
won't trust you any longer! In addition, these kind of 
"bad" news are always sent to the public opinion. 


* Knowing your 05 can also become more dangerous, 
because people can guess which applications are you 
running in that OS (data inference). For example if 

your system is a MS Windows, and you are running a 
database, it's highly likely that you are running MS-SQL. 


* |і соу be convenient for other software 
companies, to offer you a new 05 environment 
(because they know which you are running). 


• And finally, privacy; nobody needs 10 
know the systems you've got running. 


This talk aims to present well-known methods that perform 
dassification using application-ayer traffic (TCP/IP/UDP 
headers, ICMP packets, or some combination thereof], old 
style approaches to defeat remote 05 fingerprinting (like 
iweaking Windows registry or implement patches to the 
Linux kernel] and why this doesn't work with nowadays and 
could affect TCP/IP stack performance. We'll also present a 
new approach to detect and defeat both active/passive 05 
fingerprint with OSfooler-NG, a completely rewritten tool, 
highly portable, completely undetectable for the attackers 
and capable of detecting and defeating famous tools like 
птар, рој, Xprobe, pfsense and many commercial engines. 


Sorry guys, 05 fingerprinting is over... 
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Jaime Sánchez (aka Gsegofensiva) has worked for over 
20 years as a specialist advisor for large national and 
international companies, focusing on different aspects of 
security such as consulting, auditing, training, and ethical 
hacking techniques. He holds a Computer Engineering 
degree and an Executive MBA. In addition, he holds several 
certifications, like CISA , CISM , CISSP., just to name a few, 
and a NATO SECRET security clearance, as a result of his 
role as advisory of many law enforcement organizations, 
banks and large companies in Europe and Spain. 


He has spoken in renowned security conferences nationally 
and internationally, as in RootedCON , Nuit du Hack , 

Black Hat , DEF CON , DerbyCON , МосопМате , Deepsec , 
Shmoocon or Cyber Defence Symposium , among others. As 
a result of his researches, he has notified security findings 
and vulnerabilities to top companies and vendors, like 
Banco Popular, WhatsApp, Snapchat, Microsoft, Apple etc. 


He is a frequent contributor on TV (TVE, Cuatro, LaSexta, 
Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and 
radio programs, and writes a blog called "SeguridadOfensiva" 


Jaime Sánchez(X. 44 (Qsegofensiva)204 ^F. 3€ — Ej Ji 
28 E AUR Es ра АЈ #%IIIMI, Ae TET 44-10 ЖІН 
Jimi. lv. Vip. ВИНО ЕЛИ ВЕЖЕ: 


Jeswin Mathai 

Securily Researcher, Pentester Academy 
Pentester Academy[*] ӘЛ ТР 
Ashish Bhangale 

Senior Security Researcher, Pentester Academy 
Pentester Асааету ЛДЕ ОА ЕН, 


Leveraging the packet switched network for making phone 
calls or VoIP has come a long way пом. Today, it has already 
replaced conventional circuit switching based telephones 
from the large organizations and now moving to capture 
the non-commercial users. In this talk, we will focus оп 

the traffic analysis based security analysis of SIP and КТР 
protocols which are one of the most popular protocols for 
VoIP. These protocols аге already gaining new adopters on 
high rate and also replacing older protocols like H323. 


We will discuss VolPShark open source VolP Analysis 
Platform which will allow people to analyze live or stored 
VoIP traffic, easily decrypt encrypted SRTP stream, perform 
macro analysis, generate summary specific to VolP traffic/ 
nodes and export calls/SMS/DTMF in popular user 
friendly flle formats. We will also be releasing VolPShark 
collection of Wireshark plugins written in Lua under GPL. 
VolPShark is plug-n-play, easy to modify/extend and 
platform independent in nature. We will also discuss the 
currently available open source tools for SRTP decryption, 
their shortcomings and how VolPShark address those. 


TUI AT ELSE У FLUTE | CV იIIXLL26 49. 
TRAINER. Wn. ЕЕЕ I (6976 | 9, 
ВРЕДНЕ МАНА, ИНЕМЕН 

ЗЕТИ РОНЕ» ТЕЖИНЕ, ИТЕ ЗЕ 
ТЕЗЕ 1 5021-0950 АИК ТРИ АНУ 224-022 
Ж. ЗОЕН nico tr BJ V0IIIIIIX 2 —. БЕБИ 
CAS DR КА T MUERE. JEUX 
T HS23pX FERE EIUS. ВИРУ МО ТРУћ а ЈЕ 
J&VoIPRJZHISE & ЖЕЉУ ВА 122059 SUE 
(MIIVი 10766, 421891) ВЕНЕ ТРЕ, ВИТ 
AY. ДЕЕ | VoIP Ek Ti SERE, ЈЕ 
Vitr B РА сај /5MS/DTMF, Ж 
1:215 VolPShark Мігеѕһа 0, ЗЕТЕ 

ТЕСР мај 2 Уо1Р5һаг 5 ВА В 


ЕСЕ Я ЛАВРИ Ево ЬЬ, 
“1 4 სენა MICIII7მI IV ЕБ АИ. ВИД] 
ІШЕЙІН, fEBEGTGE. ШСІЗА, СІЅМ, CISSP( 
АУЭ ЛОАР s 


VOIPSHARK: OPEN SOURCE ҮЙІР ANALYSIS 
PLATFORM 
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Nishant Sharma 
R&D Manager, Pentester Academy 
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Nishant Sharma is a R&D Manager at Pentester Academy 
and Attack Defense. He is also the Architect at Hacker Arsenal 
where he leads the development of multiple gadgets for 
WiFi pentesting such as WiMonitor, WiNX and WiMini. He 
also handles technical content creation and moderation 
for Pentester Academy TV. He has 6* years of experience 
in information security field including 4% years in WiFi 
security research and development. He has presented/ 
published his work at Blackhat USA/Asia, Wireless Village, 
loT village and Demo labs (DEF CON). Prior to joining 
Pentester Academy, he worked as a firmware developer at 
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Mojo Networks where he contributed in developing new 
features for the enterprise-grade WiFi APs and maintaining 
the state of art WiFi Intrusion Prevention System (WIPS). 

He has a Master's degree in Information Security from 

ІШ Delhi. He has also published peer-reviewed academic 
research on HMAC security. His areas of interest include WiFi 
and 107 security, AD security, Forensics and Cryptography. 


Ashish Bhangale is а Senior Security Researcher at 
Pentester Academy and Attack Defense. He has 6* years 
of experience in Network and Web Application Security. Не 
has also worked with the state law enforcement agencies 
in the capacity of a Digital Forensics Investigator and 

was instrumental in solving IT fraud/crime cases. He 

was responsible for developing and testing the Chigula 
(WiFi Forensics Framework) and Chellam (First pure WiFi 
Firewall) frameworks. He has also created and managed 
multiple projects like Vulnerable Web Application 0505, 
Vulnerable Router Project and Damn Vulnerable Wordpress. 
He has presented/published his work at Blackhat, Wireless 
Village, loT village and Demo labs (DEF CON). His areas 

of interest indude Forensics, WiFi and AD security. 


Jeswin Mathai is a Researcher at Pentester Academy and 
Attack Defense. He has published his work at Blackhat 
Arsenal and Demo labs (DEF CON). He has a Bachelor's 
degree from ІТ Bhubaneswar. He was the team lead 

at InfoSec Society ІШ Bhubaneswar in association with 
CDAC and ISEA, which performed security auditing of 
government portals, conducted awareness workshops for 
government institutions. He was also the part of team Pied 
Piper who won Smart India Hackathon 2017, a national 
level competition organized by Gol. His area of interest 
indudes Malware Analysis and Reverse Engineering, 
Cryptography, WiFi security and Web Application Security. 
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TAG-SIDE ATTACKS AGAINST МЕС 
Xii МЕС 
Christopher Wade 


This talk covers tag-side attacks against NFC communication 
protocols, including cracking of Mifare encryption keys 

and performing targeted attacks against NFC readers. 

In addition, it will cover the design and creation of 

devices capable of emulating NFC tags down to the raw 
protocol using standard components and tools, with no 
abstraction to dedicated hardware, covering and expanding 
on the capabilities of available products. This talk will 
contain how 13.56MHz NFC works at a raw level, how 

tools can be built for analysing it, how the protocol can 

be implemented in full on standard Microcontrollers, 

and the security weaknesses present in ils design. 


ZEB UTER si SENT CAS fei ВУ НОВЕ ИСТЕ, 
(вам аге И ss АИ МР СВЕВИ, 
ВАША MER. ЗЕМУН ИЕ ЊЕН АИ 3S 
БЕ MI) ЉАИВ 0-0) L ВИА МАС ეარი 9) Ја а 
TARDES. Яа ИЕ, ВА XC III 
Јуни ІНЕ. 7-VMIVIIM0151=7 I #C-13.56MLIV 
ВЈ МЕСА) Е. ЗМИЈЕ T. 
ЗЕТ. ПАМТЕ ІН Е. 95 
ЖАРЫМ, ЛЕВИ ТЕНЈ о 


Chris is a seasoned security researcher and testing 
consultant. His main focuses are in reverse engineering 


hardware, fingerprinting USB vulnerabilities and playing 
with Software Defined Radios, with his key strength 
lying in firmware analysis, which he utilises 05 part 

of the hardware testing team at Pen Test Partners. 


з + [72838 - 4 |) 22-42”) 98 РА ИДИ] 
ЖАН). БА АЕ ТЕ ni Aeg ЈА] ПЕТЕ 
(ғ. ЭНФОАЯПОЗВ НИ HARTE RE X 2528 
IM, НЕЗ МЕТІН МУЛ. ЖЕМЕ 
Pen Test Partnersfifift- Wi pr] EA BU— 10547 « 


HOW TO PERFORM SECURITY ANALYSIS ON 
ІОТ EQUIPMENT THROUGH BUILDING A BASE 
STATION SYSTEM 
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Senior Security Researcher, Baidu,Inc. 
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Every year billions more smart devices, like those in vending 
machines automobile central controls Vshared bicyclesN 
smart watches, are connecting 10 the network using 
2/3/46 technology. Оп one hand, we need 10 ohtain the 
data of connections between devices and cloud to analyze 
and find the vulnerabilities. Оп the other hand, as latest 
devices do not have as many direct һгепісіп points to 
exploit, пі по and man-in-the-middle into 2/3/46 traffic 
seem 10 be the trending and effective attacks, which may 
cause serious security issues such as leaking confidential 
information and remote command execution etc. 


In this talk, we will first show how to build a test GSM base 
station system under legal premise, and then introduce 

a new method (inspired from learnings on malicious 

BTS pradices in China) which make the mobile devices 
connected to the test base station system automatically. 
Using this method, we can sniff and run MITM attack easily. 
This affects all kinds of devices using 2/3/46. We will 
demonstrate 4 examples, which use this method to find the 
vulnerability and take control of the devices. At the end, 
we will present how to build a 46 LTE test base station to 
perform the fast and stable testing on mohile devices. 
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Shupeng is a member of Baidu Security Lab. He is 

an expert оп loT security, MI security, penetration 
testing, etc. He was invited to talk on multiple security 
conferences, and successfully рупе IOT equipments 

on XPwn 2016/2017/2018, GeekPwn May/Üctober 
2017, the biggest pwn competitions in China. 
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FROM ANCIENT ТО MODERN: 
DIAGNOSING ROOT CAUSE OF SOFTWARE 
VULNERABILITIES FROM UNEXPECTED 
"P 
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Xinyu Xing 

Assistant Professor, Penn State University. Research Scientist, JD.com 
Jimmy Su 

Head of Security Center, JD.com Silicon Valley 


Despite the best efforts of developers, software inevitably 
contains flaws that may be leveraged as security 
vulnerabilities. Modern operating systems integrate various 
security mechanisms to prevent software faults from being 
exploited. To bypass these defenses and hijack program 
execution, an attacker therefore needs to constantly 
mutate an exploit and make many attempts. While in 

their attempts, the exploit triggers a security vulnerability 
and makes the running process terminate abnormally. 


After a program has crashed and terminated abnormally, 
it typically leaves behind a snapshot of its crashing state 
in the form of a core dump. While a core dump carries a 
large amount of information, which has long been used 
for software dehugging, it barely serves as informative 
debugging aids in locating software faults, particularly 
memory corruption vulnerabilities. As such, previous 
research mainly seeks full reproducible execution tracing to 
identify software vulnerabilities in crashes. However, such 
techniques are usually impractical for complex programs. 
Even for simple programs, overhead of full tracing may 
only be acceptable at the time of in-house testing. 


In this talk, we will introduce a reverse execution technique, 
which takes as input a core dump, reversely executes the 
corresponding crashing program and automatically pinpoints 
the root cause of the vulnerable site hidden behind the 
crash. In the process of performing reverse execution, our 


technique typically encounters uncertainty (e.g., uncertain 
control or data flow) which significantly influence the 
capability of identifying vulnerabilities. To tackle this 
problem, we augment the technique with deep recurrent 
neural network, which poses reverse execution with the 
ability to perfectly infer the control and data flow leading 
up їо the program crash. To demonstrate the utility of this 
technique, we have already used it to analyze hundreds of 
crashes pertaining to more than 300 CVEs, and successfully 
pinpoint the vulnerable site corresponding to each crash. 
Along with this talk, we will release the tool developed 
under our technique and make it publicly available. 
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Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania 
State University, and currently working at JD Inc. as a 

visiting researcher. His research interest includes exploring, 
designing and developing tools 10 automate vulnerability 
discovery, failure reproduction, vulnerability diagnosis 

(and triage], exploit and security patch generation. He was 
the speaker at BlackHat USA, BlackHat Europe and many 
academic conferences (e.g., USENIX Security and CSS). 

He has also received best paper awards from academic 
conferences such as CCS and ACSAC. His works have been 
featured by many mainstream media, such as Technology 
Review, New Scientists and NYTimes etc. He was also the 
organizer of M5 memory corruption forensics competition. 
xingxinyu1983 (wechat] http;//xinyuxing.org (personal site) 


Dr. Jimmy Su leads the JD security research center in Silicon 
Valley. He joined JD in Јапџагу 2017. Before joining JD, 

he was the director of advanced threat research at FireEye 
Labs. He led the research and development of multiple 
world leading security products at FireEye, including network 
security, email security, mobile security, fraud detection, and 


end-point security. He led a global team induding members 
from the United States, Pakistan, and Singapore from 
research to produci releases on the FireEye's first machine 
learning based malware similarity analysis Cloud platform. 
This key technology advance was released on oll core FireEye 
products induding network security, email security, and 
mobile security. He won the Q2 2016 FireEye innovation 
award for his seminal work on similarity analysis. He 
earned his PhD degree in Computer Science at the University 
of California, Berkeley in 2010. After his graduation, he 
joined Professor Dawn Song's team as a post doc focusing 
on similarity analysis of x86 and Android applications. 

In 2011, he joined Professor Song in the mobile security 
startup Ensighta, leading the research and development 

of the automatic malware analysis platform. Ensighta was 
acquired ђу FireEye in December of 2012. He joined FireEye 
through the acquisition. JD security research center in Silicon 
Valley focuses on these seven areas: account security, APT 
detection, bot detection, data security, AI applications in 
security, Big Data applications in security, and 107 security. 
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TRANSFERABILITY OF ADVERSARIAL 
EXAMPLES TO ATTACK CLOUD-BASED IMAGE 
CLASSIFIER SERVICE 
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Senior Security Researcher, Baidu X-Lab. 
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Security Researcher, Baidu X-Lab 

Wang Yang 

Securily Researcher, Baidu X-Lab 


Wei Tao 
Chief Security Scientist, Baidu 
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In recent years, Deep Learning(DL) techniques have heen 
extensively deployed for computer vision tasks, particularly 
visual dassification problems, where new algorithms reported 
їо achieve or even surpass the human performance . While 
many recent works demonstrated that DL models are 
vulnerable to adversarial examples.Fortunately, generating 
adversarial examples usually requires white-box access 10 
ће victim model, and real-world cloud-based image dlassifier 
services are more complex than white-hox dassification 

and the architecture and parameters of DL models on doud 
platforms cannot be obtained by the attacker. The attacker 
can only access the APIs opened by doud platforms. Thus, 
keeping models in the loud can usually give a (false) sense 
of security.In this paper, we mainly focus on studying the 
security of real-world cloud-based image classifler services. 
Specifically, (1) We propose a novel attack methods, 

Fast Featuremap Loss PGD (FFI-PGD) attack based on 
Substitution model ,which achieve a high bypass rate with 

a very limited number of queries. Instead of millions of 
queries in previous studies, our methods find the adversarial 
examples using only two queries per image ; and (2) we 
make the first attempt to conduci an extensive empirical 
study of black-box attacks against real-world doud-based 
dassifier services. Through evaluations on four popular 
doud platforms induding Amazon, Google, Microsoft, 
Clarifai, we demonstrate that Spatial Transformation (ST) 
attack has a success rate of approximately 100% except 
Amazon approximately 50%, FFI-PGD attack have a success 
rate over 90% among different classifier services. 
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Іш Yan (Dou Goodman), Head of Al security team 
of Вади X-Lიხ, is a technology writer of AI Sufety 
Trilogy. His research interests indude MI and network 
security. He starts the open source project Advbox. 


Wang Yang is a senior security researcher of Baidu X-Lab. 
His interests lie in face recognition, adversarial learning, 
and data mining. He maintains and actively contributes to 
Advbox project that is an open source toolbox for А! safety. 


Hao Xin has heen engaged in security product development 
for many years in Baidu. His main research directions 
include object detection and image classification. 


Dr. Tao (Lenx) Wei is the head of Baidu Хар. Prior to 
joining Baidu, he was an associate professor at Peking 
University. His research interests indude software 
analysis and system protection, web trust and privacy, 
programming languages, and mobile securily. 
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Recent developments of fabricating faces іп videos such as 
Deepfakes have raised significant concerns that these deep 
learning techniques may be abused to create pornographic 
video or fake propaganda. In Deepfakes videos, ће füces 
of a person are replaced with the faces of another one. And 
these faked videos are nearly indistinguishable for human. 
We find CNN-based networks can effectively distinguish 
DeepFakes videos from the real ones and present two 
effective methods. Firstly, we use a simple yet effective CNN 
architecture with several convolutional layers to build a 
powerful DeepFakes detector. Secondly, we find a FaceNet 
based method is an effective binary dassifler. FaceNet is 
one of the state-of-the-art convolutional neural networks for 
face recognition, which could catch high-level features of 
faces. We use these features to train an SVM dassifler. The 
iwo methods demonstrate successful detection reaching an 


accuracy rate of 99% and 94% respectively among our 10515. 
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Wang Yang is 0 senior security researcher of Baidu X-Lab. 
His interests lie in face recognition, adversarial learning, 
and data mining. He maintains and actively contributes 10 
Advhox project that is an open source toolbox for Al safety. 


Junfeng Xiong(Jay Xiong) is an Al security 
researcher at Baidu X-Lab. His research interests 
cover deep learning security, privacy and 107. 


Іш Yan (Dou Goodman], Head of АІ security team 
of Вади X-Lიხ, is a technology writer of Al Safety 
Trilogy. His research interests include А! and network 
security. He starts the open source project Advbox. 


Hao Xin has heen engaged in security product development 
for many years in Baidu. His main research directions 
indude object detection and image classification. 


Dr. Tao (Lenx) Wei is the head of Baidu Хар. Prior to 
joining Baidu, he was an associate professor at Peking 


University. His research interests include software 
analysis and system protection, web trust and privacy, 
programming languages, and mobile security. 
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THE ART ОР GAME SECURITY 
WX ARX NE 
Joey Zhu 


Expert/Director 
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The game security is a branch of security without noteworthy, 
but the problems is critical for game survival. The 
underground economy cost billions of dollars loss from game, 
ће presentation will discover some founding at underground 
economy at first. In the main part of presentation will show 
some techniques details of game hacks with comparison of 
traditional security problem. The last part will discuss some 
protection countermeasures against those hacks and exploits. 
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Joey Zhu is ап expert and director at Tencent, and 
working on Game Security since 2013. Previously, he was 
an architect and researcher at Trend Micro China from 
2005 to 2012. His major work focus on PE virus sandbox, 
Script Analysis Engine on web threats and Game Security 
solution. He was honored to be a speaker on the topic 
"Chinese phishing at DEF CON 19", in Las Vegas, in 2011. 
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CHINESE MECHANICAL LOCKS - AN INSIGHT 
INTO A UNIQUE WORLD OF LOCKS 
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Lucas Zhao 
UrbanHawk 


In most of the world, the lock market is pretty unremarkable. 


However, there is a whole other world of lock designs 

that are sold exclusively to the Chinese domestic market. 
This presentation will discuss a variety of topics regarding 
Chinese mechanical lock designs, from the unique dynamics 
of the market that fostered these designs, to flaws present 
in these designs, as well as how we сап use some of these 
principles present in these locks for use in other situations. 
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Lucas Zhao (UrbanHawk) is a 19-year-old lockpicker (albeit 
a mediocre one) with a special interest in Chinese locks, 
and an avid collector of locks from oll over the world. He 
has been dissecting and researching locks since he was 10 
years of age, and has a fairly comprehensive knowledge 
of all things related to locks. He loves to talk endlessly 
about his lock interests to anyone who will listen, much 

їо the annoyance of his friends, who now avoid actively 
avoid him. He currently attends Case Western Reserve 
University in Cleveland, OH as an undergraduate student. 
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HACKING DRIVERLESS VEHICLES 
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Did you watch Total Recall and wish you could fuck up 
JohnnyCab? Driverless vehicles are here at last and practically 
ripe for the hacking. Autonomous and unmanned systems 
already patrol our skies and oceans, and are being tested on 
our streets, highways and sidewalks. All trends indicate these 
systems are at an inflection point that will show them rapidly 
becoming commonplace. It is therefore a salient time for a 
discussion of their capabilities and potential vulnerabilities. 


This session will be an informative and light-hearted look at 
the current state of civil driverless vehicles and what hackers 
or other reprobates might do to mess with them. Topics 
covered will indude the full suite of common and proposed 
sensors, decision profiles and potential failure modes that 
could be exploited. This talk aims to both inspire unmanned 
vehicle designers and end users 10 think ahout robustness 
10 adversarial and malicious scenarios, and to give the 
paranoid false hope of resisting the robot revolution. 
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Тол is a robotics interface designer and rapid prototyping 
specialist. As co-host of the Discovery Channel show 
'Prototype This!" he pioneered urban pizza delivery with 
robotic vehicles, including the first autonomous crossing 
of an adive highway bridge in the USA, and airborne 
delivery of life preservers at sea from an autonomous 
aircraft. He, for one, welcomes our new robot chauffeurs, 
and would only mess with them out of tough love. 
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| want to thank everyone who has helped to make DEF 
CON China 1.0 possible. 


Thank you to Ma Jie and Baidu Security for their long 
term vision to bring DEF CON to China, and Wang 
Yingjian, Zhao Xuan and Zhang Jin from XFuture for 
their excellent operational and professional support. 
Without these people we wouldn't be here. Liu Ye, 

Ma Meng, Wu Qiong and Song Ai from Baidu Security. 
Translating language and culture between Chinese and 
English was critical, a big thank you to Cayce for all her 
late night work. 


Thank you to the DEF CON staff: Nikita, Neil, 
Darington, Cayce, Will, Linda, and Janet for helping 
make this happen. Zant from Villages, Tottenkoph from 
Workshops, Grifter from Contests and Events, Kampf 
from Entertainment, and the entire CFP Review Team. 


Thank you to the speakers, workshop trainers, villages, 
demo labs, and contest organizers who brought the 
content and knowledge to share. | hope that people 
will leave here with new ideas, friends, and a desire to 
share what they have learned. 


I'd like the thank Kingpin for coming out of badge 
design retirement and building an amazing flexible 
badge and showing off some amazing one man power 
management tricks. Our resident artist, Mar, made their 
first trip to China and their vision surrounds us with 
much of the art they created. Thank you for the live 
mural painting and ability to try and capture the hacker 
spirit through art. 


Thank you to the DEF CON Groups in China and all 
of the community supporters, sponsors and press who 
helped spread the word of our conference. 


Finally | want to thank you for taking your time and 
money to help make DEF CON something special. We 
are trying hard to build a different kind of conference 
in China and while the road may be difficult | believe in 
the value of the journey. 


I look forward to seeing everyone next year at DEF 
CON China 2 next year, 


- The Dark Tangent 
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